3 Jan
2009
3 Jan
'09
8:57 a.m.
* Joe Greco:
A CA statement that they won't issue MD5-signed certificates in the future should be sufficient. There's no need to reissue old certificates, unless the CA thinks other customers have attacked it.
That would seem to be at odds with what the people who documented this problem believe.
What do they believe? That the CA should reissue certificates even if the CA assumes that there haven't been other attacks? Or that the CA should not reissue, despite evidence of other attacks?