[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Erwann ABALEA
erwann at abalea.com
Tue Sep 6 00:19:31 PDT 2011
2011/9/6 Peter Gutmann <pgut001 at cs.auckland.ac.nz>:
[...]
> The fact that we need to go to such drastic measures as pulling a root cert is
> an artefact of the totally broken validity-checking mechanism we have now.
> Since you can't directly invalidate an unknown cert, the only way to do it is
> pull the root. Imagine if this happened with a larger CA like Verisign. If
> it issued a single manufactured cert, the only way to invalidate it would be
> to pull Verisign's root cert.
Staying on the DigiNotar case, the root removal is not only necessary
to distrust unknown issued certificates, but mainly because of their
failure to act as a *trusted* actor. What you get by removing a root
certificate is only removing the trust you placed in it, nothing more.
You don't invalidate the mis-issued certificates (by X.509 rules), you
only declare them as not-trusted.
What is defective is the browser implementation, with a need to embed
in the code a list of certificates to blacklist. When done in a hurry
like this, this can lead to bad design, and implementation errors.
Looking at Chromium code, what is effectively blacklisted is a list of
serial numbers, with no respect to the issuer, and encoded as 16bytes
octet strings (ignoring the leading 00 octet of the DER
representation), with special cases for 15bytes ones.
--
Erwann.
More information about the Observatory
mailing list