[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Sep 5 21:25:26 PDT 2011
Erwann ABALEA <erwann at abalea.com> writes:
>This RFC *is* broken.
It's broken in more ways than just that, and then the brokenness got extended
by Verisign's "high-performance OCSP" (since adopted by pretty much every
other CA) which allows the CA to replay an old response to the client. So you
don't even need to directly attack OCSP any more, just grab a "not-revoked"
response, impersonate the CA to the client, and whenever they ask for a
status, replay the old not-revoked response.
>The idea is good, though.
Not really. It's based on such a toxic combination of broken ideas
(blacklisting, muddled, non-orthogonal status codes, inapprorpriate cert IDs,
not authenticating parts of the response, a schizophrenic trust model, etc
etc) that you'd really need to start again in order to get it right.
Peter.
More information about the Observatory
mailing list