Problem with certificate - follow up

Werner Koch
Thu Oct 2 18:13:01 2003

On Thu, 2 Oct 2003 13:59:15 +0200, Luca M G Centamore said:

> So I guess the problem is the md2WithRSAEncryption algorithm.

We don't support MD2 because it is an ancient, proprietary and useless
algorithm.  From rfc4559:

7.1.1  MD2 One-way Hash Function

   MD2 was developed by Ron Rivest for RSA Data Security. RSA Data
   Security has not placed the MD2 algorithm in the public domain.
   Rather, RSA Data Security has granted license to use MD2 for non-
   commercial Internet Privacy-Enhanced Mail.  For this reason, MD2 may
   continue to be used with PEM certificates, but SHA-1 is preferred.
   MD2 produces a 128-bit "hash" of the input.  MD2 is fully described
   in RFC 1319 [RFC 1319].

   At the Selected Areas in Cryptography '95 conference in May 1995,
   Rogier and Chauvaud presented an attack on MD2 that can nearly find
   collisions [RC95].  Collisions occur when one can find two different
   messages that generate the same message digest.  A checksum operation
   in MD2 is the only remaining obstacle to the success of the attack.
   For this reason, the use of MD2 for new applications is discouraged.
   It is still reasonable to use MD2 to verify existing signatures, as
   the ability to find collisions in MD2 does not enable an attacker to
   find new messages having a previously computed hash value.

So this used to be trade secret thing but by describing the algorithm
and allowing to use it for certain tasks (i.e. non-commercial use of
the obsolte and insecure PEM), they can for sure make a better case
than SCO will ever be able to do.

> Any workaround?

Boycott Verisign.


Werner Koch                                      <>
The GnuPG Experts                      
Free Software Foundation Europe