[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Erwann ABALEA
erwann at abalea.com
Mon Sep 5 02:53:50 PDT 2011
2011/9/5 Gervase Markham <gerv at mozilla.org>:
> On 05/09/11 10:34, Martin Rublik wrote:
>> There are implementations of OCSP responders that use CRL as an input for
>> determining whether certificate is valid or not.
>
> So if the cert is not in the CRL, they assume it's valid?
>
> http://www.ietf.org/rfc/rfc2560.txt :
> " The "good" state indicates a positive response to the status inquiry.
> At a minimum, this positive response indicates that the certificate
> is not revoked, but does not necessarily mean that the certificate
> was ever issued or that the time at which the response was produced
> is within the certificate's validity interval."
>
> Wow, that sucks. I mean, clients should check expiry, but the
> possibility of returning "good" for non-existent certificates is just
> totally broken.
This RFC *is* broken. The idea is good, though.
But being able to design a certificate as "non revocable" and able to
deliver revocation state for other certificates still horrifies me
(OCSPNoCheck extension). As I said earlier, this could be the next
attack target: generate an OCSP responder certificate with this
extension and a long validity period, a bunch of bogus certificates,
and relying parties won't be able to rely on OCSP anymore.
> Then again:
>
> "The "unknown" state indicates that the responder doesn't know about
> the certificate being requested."
>
> You would hope the responder would at least return that!
"Unknown" is understood as "bad" by relying parties, because it's not signed.
--
Erwann.
More information about the Observatory
mailing list