Comment 52 for bug 312536

Comment on attachment 366681
Patch v3 - for review

I am not opposed to the idea of this patch, but I don't think we should keep this environment variable forever. This should be only a stopgap measure to give time to people to migrate their infrastructure away from using MD2.

I haven't had time to get up to speed on just how broken MD2 is. But I would prefer a stronger wording for the environment variable chosen. Something like :

NSS_MAKE_VULNERABLE_TO_MD2_ATTACK_FIX_YOUR_CERTS_BEFORE_OCT_01_2009_OR_YOU_WILL_BE_SORRY .
I know it's quite a mouthful, but it drives the point home. Other strong wordings are also welcome.

The idea would be that we remove support for this environment variable in any NSS release made after that date - there would be no way to turn MD2 back in any later release of NSS .

Another suggestion also - depending on how bad the attacks on MD2 are, we may also want to consider removing the MD2 implementation from softoken at a set date in the future.