[cryptography] Diginotar broken arrow as a tour-de-force of PKI fail

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Sep 6 22:40:57 EDT 2011

[Responding to the same three lists as before, please trim followups if you
 feel it's off-topic]

In response to my earlier "OCSP is unfixably broken, by design" comments, a
couple of people have responded off-list with variants of "OK smartypants, how
would you do it better?".  In order to provide a general answer (and avoid
fragmenting the discussion into lots of private-mail threads), I'll point to


This addresses all the problems I've pointed out in OCSP, as well as things
OCSP never considered like performance issues (thus Verisign's security-
breaking OCSP "optimisations").  It's been peer-reviewed and vetted, and I
could have it re-posted in current draft format in a couple of days if there's
any interest in finally switching validity-checking to proper whitelists (and
fixing all of OCSP's other bugs).

Two notes:

1. This isn't a "get my pet protocol published", just a convenient means of
   pointing out that this problem has been well-known among security
   architects, thought about, and solutions designed, at least a decade ago.

2. You may notice the rather odd form of the draft, as an S/MIME work item.
   The reason why this was never published was because it proved impossible to
   get past PKIX because it wasn't blacklist-based and was therefore
   incompatible with CRLs.  The document starts in the late 1990s and mutates
   over time as I tried to work around PKIX' resistance to whitelist-based
   validity-checking.  After a couple of years of battling to get anything
   like this adopted I just gave up, as the "CMS" in the draft implies towards
   the end I was resorting to trying to launder it via the S/MIME working
   group to get it published.  I think it was when someone told me that it'd
   be referred back to PKIX for approval (as part of some IETF mechanism to
   prevent people doing end-runs around working groups as I was doing) that I
   realised it was never going to go anywhere.

Anyway, a solution exists, it's been implemented and in active use for at
least a decade, and I believe it fixes all of OCSP's numerous flaws as well as
ones that were never even considered in OCSP, such as performance implications
(in one test while looking at throughput I managed to - accidentally - DoS a
LAN with a single 300MHz PIII machine running this protocol.  Try doing that
with OCSP).


More information about the cryptography mailing list