[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Sep 7 21:33:24 PDT 2011


Gervase Markham <gerv at mozilla.org> writes:
>On 05/09/11 10:57, Rob Stradling wrote:
>> So if it's "totally broken", why don't you and Kathleen add "OCSP Responders
>> MUST NOT report 'good' if the certificate is not known to have been issued" to
>> the Mozilla CA Certificate Policy?
>
>Noted :-)

That's actually in blatant violation of the RFC.  Doing this was specifically
excluded from OCSP, most recently about six months ago.  So you're asking OCSP
implementations to act in a non-standards-compliant manner just for Firefox...
I can't see that flying.

In any case it doesn't really help, given OCSP's broken IDs an attacker can
trivially work around this.  And if you fix those, given the replay-attack-
enabled "high-performance" optimisation an attacker can work around that.  And
if you fix that, given that half the response is unauthenticated, an attacker
can go for that.  To paraphrase Lucky Green, OCSP is multiple-redundant
broken, by design.  If you remove the bits that don't work (the response
status, the cert ID, nonces, and the unauthenticated portions of the response)
there is literally nothing left.  There's an empty ASN.1 shell with no actual
content.  There is not one single bit of OCSP that actually works as it's
supposed to.

Peter.



More information about the Observatory mailing list