[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Rob Stradling
rob.stradling at comodo.com
Mon Sep 5 02:57:16 PDT 2011
On Monday 05 Sep 2011 10:40:14 Gervase Markham wrote:
> On 05/09/11 10:34, Martin Rublik wrote:
> > There are implementations of OCSP responders that use CRL as an input for
> > determining whether certificate is valid or not.
>
> So if the cert is not in the CRL, they assume it's valid?
>
> http://www.ietf.org/rfc/rfc2560.txt :
> " The "good" state indicates a positive response to the status inquiry.
> At a minimum, this positive response indicates that the certificate
> is not revoked, but does not necessarily mean that the certificate
> was ever issued or that the time at which the response was produced
> is within the certificate's validity interval."
>
> Wow, that sucks. I mean, clients should check expiry, but the
> possibility of returning "good" for non-existent certificates is just
> totally broken.
Gerv,
So if it's "totally broken", why don't you and Kathleen add "OCSP Responders
MUST NOT report 'good' if the certificate is not known to have been issued" to
the Mozilla CA Certificate Policy?
> Then again:
>
> "The "unknown" state indicates that the responder doesn't know about
> the certificate being requested."
>
> You would hope the responder would at least return that!
>
> Gerv
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Observatory
mailing list