[SSL Observatory] SSL CA compromise in the wild
Erwann ABALEA
erwann at abalea.com
Thu Mar 24 09:05:14 PDT 2011
I missed the "reply to all" button :(
2011/3/24 Erwann ABALEA <erwann at abalea.com>:
> Bonjour,
>
> 2011/3/24 Peter Gutmann <pgut001 at cs.auckland.ac.nz>:
>> - The blacklist-based controls used in PKI (CRLs and OCSP) don't work, and the
>> vendors agree (Jacob Appelbaum has pointed this out too). AFAIK every
>> single one of them pushed out updates that hardcode the certs to be rejected
>> into their browsers. Looked at the other way round, not one single vendor
>> trusts the mechanisms that PKI is supposed to use to deal with these
>> certificates. So if you want to go through the motions for compliance
>> purposes, issue a CRL or OCSP. If you really care about the status of a
>> cert, do something else.
>
> I made some tests a few weeks ago, on several browsers and OS
> combinations. It appeared that the NSS library (used by Firefox on
> every platform, and by Chrome on Linux) doesn't check anything (CRL or
> OCSP) for non-EV certificates. From memory, MSCAPI, Opera, and the
> MacOSX crypto toolkit do a better job, checking either the OCSP
> responder or the CRL, depending on the level in the hierarchy and the
> software used.
> More checks could be done.
>
> In that specific case, since the emitting CA is a root one, it can't
> be revoked. And if it is suppressed from the trust store, since it was
> cross-signed by another root (AddTrust External Root CA) and the good
> URI is placed in the AIA extension, a chain can still be built.
>
>> (If you can issue your own certs then it's even worse, just fit them with a
>> CRLDP extension pointing to an OCSP responder that you control and those
>> certs can never be revoked. It's another case of PKI relying on mechanisms
>> that involve asking the drunk whether he's drunk).
>
> I'd create a long-lived OCSP responder certificate with the
> OCSPNoCheck extension. This kind of certificate can't be revoked *at
> all*, and has the same power as a CRL-signing key (which can be
> revoked).
--
Erwann.
More information about the Observatory
mailing list