[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Sep 6 19:40:57 PDT 2011
[Responding to the same three lists as before, please trim followups if you
feel it's off-topic]
In response to my earlier "OCSP is unfixably broken, by design" comments, a
couple of people have responded off-list with variants of "OK smartypants, how
would you do it better?". In order to provide a general answer (and avoid
fragmenting the discussion into lots of private-mail threads), I'll point to
this:
http://tools.ietf.org/id/draft-gutmann-cms-rtcs-01.txt
This addresses all the problems I've pointed out in OCSP, as well as things
OCSP never considered like performance issues (thus Verisign's security-
breaking OCSP "optimisations"). It's been peer-reviewed and vetted, and I
could have it re-posted in current draft format in a couple of days if there's
any interest in finally switching validity-checking to proper whitelists (and
fixing all of OCSP's other bugs).
Two notes:
1. This isn't a "get my pet protocol published", just a convenient means of
pointing out that this problem has been well-known among security
architects, thought about, and solutions designed, at least a decade ago.
2. You may notice the rather odd form of the draft, as an S/MIME work item.
The reason why this was never published was because it proved impossible to
get past PKIX because it wasn't blacklist-based and was therefore
incompatible with CRLs. The document starts in the late 1990s and mutates
over time as I tried to work around PKIX' resistance to whitelist-based
validity-checking. After a couple of years of battling to get anything
like this adopted I just gave up, as the "CMS" in the draft implies towards
the end I was resorting to trying to launder it via the S/MIME working
group to get it published. I think it was when someone told me that it'd
be referred back to PKIX for approval (as part of some IETF mechanism to
prevent people doing end-runs around working groups as I was doing) that I
realised it was never going to go anywhere.
Anyway, a solution exists, it's been implemented and in active use for at
least a decade, and I believe it fixes all of OCSP's numerous flaws as well as
ones that were never even considered in OCSP, such as performance implications
(in one test while looking at throughput I managed to - accidentally - DoS a
LAN with a single 300MHz PIII machine running this protocol. Try doing that
with OCSP).
Peter.
More information about the Observatory
mailing list