[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Rob Stradling
rob.stradling at comodo.com
Fri Sep 9 01:44:04 PDT 2011
On Thursday 08 Sep 2011 05:33:24 Peter Gutmann wrote:
> Gervase Markham <gerv at mozilla.org> writes:
> >On 05/09/11 10:57, Rob Stradling wrote:
> >> So if it's "totally broken", why don't you and Kathleen add "OCSP
> >> Responders MUST NOT report 'good' if the certificate is not known to
> >> have been issued" to the Mozilla CA Certificate Policy?
> >
> >Noted :-)
>
> That's actually in blatant violation of the RFC.
One man's "blatant violation" is another man's "profile" [1]. :-)
If it's not been done already, it might be an interesting exercise to write an
I-D called something like "The Hardened OCSP Profile for the Internet". This
I-D could say things like:
- Responders MUST NOT report "good" for a serial number that is not known to
have been put into a legitimate certificate.
- Clients MUST hard-fail when they cannot obtain signed certificate status
information.
- Responders MUST include a hash of each certificate in a newly defined
SingleReponse Extension.
Mozilla et al might decide to require CAs to comply with such an I-D, even if
the PKIX WG refuses to even consider it as a work item.
[1] Here are a few of the "blatant violations" of RFC2560 that are present in
RFC5019 (The Lightweight OCSP Profile for High-Volume Environments):
"2.1.1. OCSPRequest Structure
OCSPRequests conformant to this profile MUST include only one Request
in the OCSPRequest.RequestList structure.
Clients MUST use SHA1 as the hashing algorithm for the
CertID.issuerNameHash and the CertID.issuerKeyHash values.
Clients MUST NOT include the singleRequestExtensions structure."
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Observatory
mailing list