Matt Crawford | 2 Mar 16:03 2005

Re: X.509 certificate collision, via MD5 collisions

On Mar 1, 2005, at 18:08, Paul Hoffman wrote:

> From the description in the paper, it appears that step 1 requires 
> that the template for the certificate must be known before you create 
> the two RSA keys. If that is true, then a CA who uses long serial 
> numbers either randomly or based on a secret would automatically foil 
> this attack. (I could be misreading the requirement, of course.)

What's more, the two certificates are identical in every field before 
the public RSA modulus -- including the SubjectDN.  This is less 
interesting than it might be.  But clearly it would be foolish to 
believe that collisions with different SubjectDNs won't follow soon.