[cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
iang at iang.org
Tue Sep 6 13:00:43 EDT 2011
On 5/09/11 7:23 PM, Gervase Markham wrote:
> Hi Peter,
> On 04/09/11 07:15, Peter Gutmann wrote:
>> Blacklist-based validity checking, the Second Dumbest Idea in Computer
>> Security (Marcus Ranum), doesn't work:
>> Diginotar issued certs for which there was no record of issuance, therefore
>> they couldn't be revoked. Whitelist-based checking would have prevented
> Surely OCSP is whitelist-based checking? (I can't imagine engineering an
> OCSP server which, when asked about a certificate for which it had no
> record, said "Fine, no problem!")
Apparently no need to stress our imagination ;)
Current browsers perform an OCSP check as soon as the browser connects
to an SSL protected website through the https-protocol3. The serial
number of the certificate presented by the website a user visits is send
to the issuing CA OCSP-responder. The OCSP-responder can only answer
either with „good‟, „revoked‟ or „unknown‟. If a certificate serial
number is presented to the OCSP-responder and no record of this serial
is found, the normal OCSP-responder answer would be „good‟4. The
OCSP-responder answer „revoked‟ is only returned when the serial is
revoked by the CA. In order to prevent misuse of the unknown issued
serials the OCSP-responder of DigiNotar has been set to answer „revoked‟
when presented any unknown certificate serial it has authority over.
This was done on September 1st.
>> Universal implicit cross-certification makes the entire system as weak as the
>> weakest link:
>> Diginotar apparently issued certs for other majors CAs like Equifax, Thawte,
>> and VeriSign, allowing them to usurp other major CAs.
> I would disagree that _this_ makes the entire system as weak as its
> weakest link. It only makes systems which choose to interlink in any way
> as weak as the weakest link.
> The thing which makes the entire system as weak as its weakest link is
> the lack of CA pinning.
No, this is putting the solution before the problem. What makes the
system as weak as its weakest link is the fact that all CAs are
homogonised and anonymised within the vendors' products.
That's vendor policy.
A possibly fix to that is CA pinning, which is a partial and judicious
unwinding of the policy of homogonisation and anonymisation.
Whether this is efficacious or worth the money is yet to be seen.
Whether subscriber-side CA pinning is better than other alternates (e.g.
browser-side CA pinning or CA branding) is also open to question.
But, if the vendors choose to back one horse, then that's where the
public's money goes. So we might not ever find out whether other
More information about the cryptography