June 16th, 2008 The VeriSign timestamping service is being upgraded to provide a higher-level of security. The timestamping service currently uses the hash algorithm called MD5 to create the timestamp. Although no actual incidents of breaking MD5 have been reported, modern computing power is making it easier to mount attacks against MD5.
The timestamping service is being upgraded to use the hash algorithm called SHA-1 to create the timestamp. Microsoft has confirmed that an application signature that contains a timestamp created with the
SHA-1 hash algorithm is validated correctly on Windows Vista, Windows 2003, Windows XP, and Windows 2000.
The upgrade will occur by July 15, 2008.
Who may be affected: Anyone using the VeriSign timestamping service.
How will they be affected: There should be no issue for users signing applications on or for Windows Vista, Windows 2003, Windows XP, and Windows 2000. Application signing on or for earlier versions of Windows, or for non-Windows platforms, may result in signatures not being successfully validated.
What should they do: Use a more recent version of Windows, or sign the application without a timestamp.
Please use the following contact information if you have questions or concerns about this upgrade:
https://www.thawte.com/ssl-digital-certificates/technical-support/
[Via: Thawte Technical Support]
