Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 14246 invoked from network); 27 Oct 2005 11:25:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 27 Oct 2005 11:25:39 -0000 Received: (qmail 81837 invoked by uid 500); 27 Oct 2005 11:25:38 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 81820 invoked by uid 500); 27 Oct 2005 11:25:37 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 81809 invoked by uid 99); 27 Oct 2005 11:25:37 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Oct 2005 04:25:37 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [212.227.126.183] (HELO moutng.kundenserver.de) (212.227.126.183) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Oct 2005 04:25:33 -0700 Received: from p5090117B.dip0.t-ipconnect.de [80.144.17.123] (helo=deepthought) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1EV5sb45Ib-0007mw; Thu, 27 Oct 2005 13:25:09 +0200 From: "Matthias Niggemeier" To: Subject: RE: MD5 algorithm in XSEC Date: Thu, 27 Oct 2005 13:25:00 +0200 Message-ID: <000c01c5dae9$14831fe0$dc0110ac@intranet.dcmgmbh.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 thread-index: AcXaCrbBIgkMElutRDeGB2Ls8/I+xAAAVkbQADDPgiAABffGUA== In-Reply-To: <20051027084326.36E6A10FB2A9@asf.osuosl.org> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:4f4d32e68fa7f0c43aac3f594c511a59 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N > -----Original Message----- > From: Milan Tomic [mailto:milan@setcce.org] > Sent: Thursday, October 27, 2005 10:43 AM > To: security-dev@xml.apache.org > Subject: RE: MD5 algorithm in XSEC > Are you aware of recent collision findings for MD5 algorithm? > > > I think that MD5 algorithm support should be removed from > Windows and Java as well (as soon as possible, with the next > release or service pack). By supporting MD5 algortihm we are > leaving security holes in our applications and we are giving > our users fake feeling of security. For example, my bank is > still using certificates signed with MD5 algorithm for > e-banking. We are approaching to disaster and it is a > question of a day or a month when we will hit the ground. Milan, from an academic point of view you are certainly right. But the MD5 Algorithm is still widely used, so removing MD5 would lead me into serious trouble. I receive XML-Files from embedded systems for example; these systems cannot be updated (theoretically they can, but how pays?). "Security" is a consideration between risk, cost and convenience. Even with a pessimistic point of view the risk that somebody changes my xml-files having the same hash is extremely low. So there is only little reason for me to change this. This is just an example, I think there arer several applications that need MD5. So I would vote to leave MD5-support as is, since it is standard conformand up today. Surely, I would not recommend using it, but what when you get signed files from an external source? Sometimes (like me) you just get the files, without a chance to change the behaviour of the foreign system. Regards Matthias