[cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Ian G iang at iang.org
Tue Sep 6 13:00:43 EDT 2011

On 5/09/11 7:23 PM, Gervase Markham wrote:
> Hi Peter,
> On 04/09/11 07:15, Peter Gutmann wrote:
>> Blacklist-based validity checking, the Second Dumbest Idea in Computer
>> Security (Marcus Ranum), doesn't work:
>>    Diginotar issued certs for which there was no record of issuance, therefore
>>    they couldn't be revoked.  Whitelist-based checking would have prevented
>>    this.
> Surely OCSP is whitelist-based checking? (I can't imagine engineering an
> OCSP server which, when asked about a certificate for which it had no
> record, said "Fine, no problem!")

Apparently no need to stress our imagination ;)

Current browsers perform an OCSP check as soon as the browser connects 
to an SSL protected website through the https-protocol3. The serial 
number of the certificate presented by the website a user visits is send 
to the issuing CA OCSP-responder. The OCSP-responder can only answer 
either with „good‟, „revoked‟ or „unknown‟. If a certificate serial 
number is presented to the OCSP-responder and no record of this serial 
is found, the normal OCSP-responder answer would be „good‟4. The 
OCSP-responder answer „revoked‟ is only returned when the serial is 
revoked by the CA. In order to prevent misuse of the unknown issued 
serials the OCSP-responder of DigiNotar has been set to answer „revoked‟ 
when presented any unknown certificate serial it has authority over. 
This was done on September 1st.


>> Universal implicit cross-certification makes the entire system as weak as the
>> weakest link:
>>    Diginotar apparently issued certs for other majors CAs like Equifax, Thawte,
>>    and VeriSign, allowing them to usurp other major CAs.
> I would disagree that _this_ makes the entire system as weak as its
> weakest link. It only makes systems which choose to interlink in any way
> as weak as the weakest link.
> The thing which makes the entire system as weak as its weakest link is
> the lack of CA pinning.

No, this is putting the solution before the problem.  What makes the 
system as weak as its weakest link is the fact that all CAs are 
homogonised and anonymised within the vendors' products.

That's vendor policy.

A possibly fix to that is CA pinning, which is a partial and judicious 
unwinding of the policy of homogonisation and anonymisation.

Whether this is efficacious or worth the money is yet to be seen. 
Whether subscriber-side CA pinning is better than other alternates (e.g. 
browser-side CA pinning or CA branding) is also open to question.

But, if the vendors choose to back one horse, then that's where the 
public's money goes.  So we might not ever find out whether other 
solutions help.


More information about the cryptography mailing list