[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Gervase Markham
gerv at mozilla.org
Mon Sep 5 02:40:14 PDT 2011
On 05/09/11 10:34, Martin Rublik wrote:
> There are implementations of OCSP responders that use CRL as an input for
> determining whether certificate is valid or not.
So if the cert is not in the CRL, they assume it's valid?
http://www.ietf.org/rfc/rfc2560.txt :
" The "good" state indicates a positive response to the status inquiry.
At a minimum, this positive response indicates that the certificate
is not revoked, but does not necessarily mean that the certificate
was ever issued or that the time at which the response was produced
is within the certificate's validity interval."
Wow, that sucks. I mean, clients should check expiry, but the
possibility of returning "good" for non-existent certificates is just
totally broken.
Then again:
"The "unknown" state indicates that the responder doesn't know about
the certificate being requested."
You would hope the responder would at least return that!
Gerv
More information about the Observatory
mailing list