[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Lucky Green shamrock at cypherpunks.to
Wed Sep 7 22:24:44 PDT 2011


On 2011-09-07 21:33, Peter Gutmann wrote:
[...]
> In any case it doesn't really help, given OCSP's broken IDs an attacker can
> trivially work around this.  And if you fix those, given the replay-attack-
> enabled "high-performance" optimisation an attacker can work around that.  And
> if you fix that, given that half the response is unauthenticated, an attacker
> can go for that.  To paraphrase Lucky Green, OCSP is multiple-redundant
> broken, by design.  If you remove the bits that don't work (the response
> status, the cert ID, nonces, and the unauthenticated portions of the response)
> there is literally nothing left.  There's an empty ASN.1 shell with no actual
> content.  There is not one single bit of OCSP that actually works as it's
> supposed to.

I rarely find myself in disagreement with Peter when it comes to PKI
architecture, but I have to disagree that there is "not one single bit
of OCSP that actually works as it's supposed to". Most OCSP
implementations reasonably well conform to the RFC that defines what
"supposed to" entails.

The OCSP spec very clearly delineates prescribed OCSP behavior, which
includes not raising an alarm when the CA encounters a cert the CA knows
for fact it has not issued, mandates a week (or years) old certificate
status to govern acceptance of a certs, and allows an ancient OCSP
response to be replayed indefinitely.

Not that it would improve OCSP security substantially if OCSP responders
chose to violate the standard. As certificate-consuming application
authors mentioned on this list, they would (by necessity) turn off OCSP
checking if a failure to receive an OCSP response in a timely fashion
prevented access to an https website.

Solving these issues is largely gated by convincing the IETF that OCSP
suffers from certain design flaws (an valiantly fought battle that
yielded no victories in the last 10+ years) combined with an improvement
in the reliability and performance of OCSP responders (an equally
valiantly fought battle that caused the primary protagonist to almost
file for bankruptcy some 10 years ago, exiting the business around that
time).

--Lucky Green



More information about the Observatory mailing list