Ram A Moskovitz <[EMAIL PROTECTED]> writes: >On 15 May 2005 06:56:10 GMT, Peter Gutmann <[EMAIL PROTECTED]> wrote: >> Ram A Moskovitz <[EMAIL PROTECTED]> writes: >> >> >On 11 May 2005 14:32:53 GMT, Peter Gutmann <[EMAIL PROTECTED]> wrote: >> >> Ian G <[EMAIL PROTECTED]> writes: >> >> It's already happened, Verisign were pretty much wiped out last year when >> >> one >> >> of their certs expired, resulting in a massive DDoS on crl.verisign.com. >> >Are you sure that's what happened? >> >> It was pretty widely publicised at the time. >> >> >> Now >> >> imagine what would happen if revocation checking were properly done in all >> >> clients, where you'd get a DDoS that makes last year's one look trivial >> >> and >> >> that continues 24/7. >> >> >I diagree. I think OCSP scales well enough that with reasonable client >> >implemetaions it can be used for things like SSL server certificate >> >validation and software publisher validation. >> >> OCSP doesn't scale at all, which is why recent "high-performance" OCSP >> proposals break the protocol's security to allow replay attacks (Verisign for >> example broke their implementation last year some time in order to get it to, >> uhh, "scale", other vendors have done the same). The result is that you're >> not getting a real certificate status any more, just a replay of an old out- >> of-date status that may or may not be coming from an attacker. Nice warm >> fuzzies, but little else.
>Are you familiar with the high-performance proposal? It's a "high-performance" proposal, not a high-performance proposal (in other words unmodified OCSP doesn't scale at all, so the broken version by comparison is labelled as "high-performance"). Anyway, what it does is remove replay protection, so the responder (or an outside attacker, you can't tell) replays an old response for you instead of generating a fresh one. It thus achieves better scalability at the expense of breaking the security of the protocol. (When this nonsense was originally proposed, I sarcastically asked whether the change was made in order to make it easier for an attacker. The originator of the proposal seemed totally unaware that this was a problem). Peter. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
