On 7/12/11 23:30 PM, Peter Gutmann wrote:
[NB: Crossposted to two lists where this issue has been discussed in the past]
So it seems like pretty much everyone (at least on these lists) has heard
about the Malaysian CA that issued 512-bit certs for which the keys were
factored and used to sign malware, and that had their CA cert pulled because
of this.
What's had much less (in fact apparently zero) attention
As someone commented to me today, in PKI, any news is good news. As the
old aphorism from PT Barnum suggests, facts should not be allowed to
interfere with the serious business of advertising.
http://en.wikipedia.org/wiki/P._T._Barnum
is the fact that
Digicert Sdn. Bhd. only issued three of the nine certificates that were used
for malware signing. Three more were issued by Cybertrust, and one each by
GlobalSign, Taiwan-CA, and Anthem. The first three are root CAs, Anthem is
one of the vast number of you'll-only-find-out-they-exist-when-they're-used-
to-attack-you sub-CAs that are out there.
9 certs of 512 bits size were used in various malware signing attacks,
and nothing larger was seen. So it is claimed. So it is probably
reasonable to suggest a private key crunching attack on those certs. On
the other hand, we don't have enough to rule out the alternates. IMHO.
Still, with this reasonable conjecture in hand, that's probably
sufficient for relying parties (vendors as defined in BR) to up the
acceptable limit to the next reasonable notch. I'd suggest 768, vendors
will do 1024 I guess.
Given the facts (number of attacks, 9?; the number of users, 250m;
slowness of updates; lack of reported direct damages) a vendor might
reasonably wait until the next convenient release?
Given that the Malaysian CA had its cert pulled for this, can we get a
statment from browser vendors on whether Cybertrust, GlobalSign, and the
others will also similarly have their certs pulled for exactly the same
behaviour?
It is curious.
When we wrote the Mozilla policy, we inserted that Mozilla had the sole
right to decide when to pull a root. When I suggested that (yes, blame
me now) I knew that any suggestion to pull a root would immediately
cause a counter-balancing lawsuit by CAs with cashflow in mind. (Which
would win, ask your lawyer how to stop anything with an injunction.)
Oh, and it was impractical to iterate in advance the reasons & causes
for pulling a root.
Now I find myself on the other camp - wanting more definate statements.
I think there are many discrepencies over time: unusual claims made by
vendors ("issued certs in breach of their own CPS" and "failure to
notify relying parties"), policy & practice by herd, lack of
transparency in vendors' actions, and recent allegations that some
(sub-)roots are being used for routine MITMing.
I feel that PKI is entering a crisis phase, much like Europe's
finances. Things are going to get worse. So, the question really is,
are we going to ask the hard questions and start dealing with some hard
answers, or are we going to kick the can along the road a bit more?
Worked for Europe, right?
The MITM evidenced in the above attacks was or wasn't a reason to pull a
root? Is MITM a reason to pull a root? Sufficient reason?
Or, what is?
And, is that it? We'll keep burying roots until the pain goes away?
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
