[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Rob Stradling rob.stradling at comodo.com
Fri Sep 9 01:44:04 PDT 2011


On Thursday 08 Sep 2011 05:33:24 Peter Gutmann wrote:
> Gervase Markham <gerv at mozilla.org> writes:
> >On 05/09/11 10:57, Rob Stradling wrote:
> >> So if it's "totally broken", why don't you and Kathleen add "OCSP
> >> Responders MUST NOT report 'good' if the certificate is not known to
> >> have been issued" to the Mozilla CA Certificate Policy?
> >
> >Noted :-)
> 
> That's actually in blatant violation of the RFC.

One man's "blatant violation" is another man's "profile" [1].  :-)

If it's not been done already, it might be an interesting exercise to write an 
I-D called something like "The Hardened OCSP Profile for the Internet".  This 
I-D could say things like:
  - Responders MUST NOT report "good" for a serial number that is not known to 
have been put into a legitimate certificate.
  - Clients MUST hard-fail when they cannot obtain signed certificate status 
information.
  - Responders MUST include a hash of each certificate in a newly defined 
SingleReponse Extension.

Mozilla et al might decide to require CAs to comply with such an I-D, even if 
the PKIX WG refuses to even consider it as a work item.


[1] Here are a few of the "blatant violations" of RFC2560 that are present in 
RFC5019 (The Lightweight OCSP Profile for High-Volume Environments):

"2.1.1.  OCSPRequest Structure

   OCSPRequests conformant to this profile MUST include only one Request
   in the OCSPRequest.RequestList structure.

   Clients MUST use SHA1 as the hashing algorithm for the
   CertID.issuerNameHash and the CertID.issuerKeyHash values.

   Clients MUST NOT include the singleRequestExtensions structure."


Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Observatory mailing list