[As a general response, rather than retype a whole pile of stuff yet again, I'm going to answer some of these by reference, which also allows me to go into more detail and include diagrams. Sorry about this level of indirection, but it does make it a lot easier to explain the problems fully].
Gervase Markham <[email protected]> writes: >On 04/09/11 07:15, Peter Gutmann wrote: >> Blacklist-based validity checking, the Second Dumbest Idea in Computer >> Security (Marcus Ranum), doesn't work: >> >> Diginotar issued certs for which there was no record of issuance, therefore >> they couldn't be revoked. Whitelist-based checking would have prevented >> this. > >Surely OCSP is whitelist-based checking? (I can't imagine engineering an OCSP >server which, when asked about a certificate for which it had no record, said >"Fine, no problem!") No, and yes, respectively. See "Problems with OCSP" on page 527 of http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf. >I would disagree that _this_ makes the entire system as weak as its weakest >link. It only makes systems which choose to interlink in any way as weak as >the weakest link. But browser PKI already is interlinked, via universal implicit cross- certification (as I said). Thus, any CA can usurp any other CA. See "Certificate Chains" on page 512 of the above ref. >This is true, but I'm not sure it's particularly relevant. (Who claims that >HSMs are magic pixie dust?) CAs, when they issue a press release saying "everything's OK, we never lost control of our private key"? Some European countries also seem to have a near-fixation on smart cards for certificate use when they really only contribute epsilon to the overall security. The point is that security is more than just an HSM or smart card. >> Lack of breach disclosure requirements for CAs means that they'll cover >> problems up if they can get away with it: > >Do you think that remains true? Comodo didn't cover their problems up, They did, it only got public attention when it was reverse-engineered out of patches (and the browser vendors helped them in this). See the earlier discussion of this on this list. >and are still in business. Because they've crossed the magic too-big-to-fail threshold. AIG is also still in business. >What sort of "trivial checks" are you suggesting? See "Security through Diversity" on p.239, same ref as before. I'm also doing a talk on this at EuroPKI next week (the timing is purely a coincidence, I'd planned the talk six months ago but I think it was very kind of Diginotar to help turn a general talk on security into something quite topical). See http://www.cosic.esat.kuleuven.be/europki2011/, I'll also put the slides online after the talk (they're actually up now, but I haven't publicly linked to them yet). >I think there are definitely searching questions to ask of DigiNotar's >auditors. I read in a comment in a Dutch news article that it was PWC, but haven't seen it confirmed yet. >Patches welcome? (Or did we reject them already? :-) Yes. Nelson Bolyard said, in response to several requests for this, that they (PSK mechanisms like -PSK and -SRP) would never be included in NSS. I can dig up the original message if required. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
