Hi, True, we found about 80 distinct certificates that had subject "Government of Korea" and CA:TRUE [1].
In our full dataset from April 2011, however, we found about 30k certificates with this property. None of them had valid chains to the NSS root store. The numbers do not seem to change over time: in Nov 2009, it was about 30k, and about the same in Sep 2010. In the EFF dataset of the full IPv4 space, I find 773,512 such certificates. *Distinct* ones - and the EFF dataset has 5.5m distinct certs. It is a wide-spread problem. For the case of Korea, @KevinSMcArthur found that the issuing certificates have a pathlen of 0, which makes it impossible for the end-host cert to operate as a CA *as long as the client actually checks that extension*. I don't know which ones do, but it would be a question to ask the NSS developers. As of now, I don't think these are really attacker certs, also because the overall numbers seem to point more at some CA software that creates certs with the CA flag on by default. Although your article seems to indicate something bad is going on over there... [1] If you want to check, CSVs at: www.meleeisland.de/korean_hosts_CA_on.csv www.meleeisland.de/korean_hosts_CA_on_fullchains.csv www.meleeisland.de/scan_apr2011_ca_on_issuers_not_selfsigned.csv Ralph On 09/18/2011 03:37 AM, Marsh Ray wrote: > > Been seeing Twitter from @ralphholz, @KevinSMcArthur, and @eddy_nigg > about some goofy certs surfacing in S Korea with CA=true. > > via Reddit http://www.reddit.com/tb/kj25j > http://english.hani.co.kr/arti/english_edition/e_national/496473.html -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography