[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

[Peter Gutmann]

Jacob Appelbaum <jacob at appelbaum.net> writes:

>Consider the case where a user is on a GSM cell phone and the attacker
>controls the entire phone network - they can set the time on the phone to be
>whatever they'd like.

Yup, and that generalises to "anything that isn't running NTP".  Even for that
case, an attacker who can can spoof OCSP responses can just as easily spoof
NTP responses.  So the more general generalisation is that if you include time
into your TCB then you need to also provide a secure mechanism for
distributing time info.  As I said in my Usenix talk on practical issues with
crypto about a decade ago:

  How to break almost any PKI protocol

  - Factor the RSA modulus
  - Steal the key from the HSM
  - Change the system clock

(with a check-mark next to the last one).

Peter.