Found this interesting post on bugtraq Comments?
Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Web site: http://www.sopac.org/ <http://www.sopac.org/> Support FMaps: http://fmaps.sourceforge.net/ <http://fmaps.sourceforge.net/> Certificate: https://www.sopac.org/ssl/ This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -----Original Message----- From: Pidgorny, Slav [mailto:[EMAIL PROTECTED]] Sent: Sunday, 19 May 2002 6:01 To: '[EMAIL PROTECTED]' Subject: Verisign PKI: anyone to subordinate CA G'day Bugtraq, Microsoft Security Bulletin MS01-017 (http://www.microsoft.com/technet/security/bulletin/MS01-017.asp) inspired me to do some testing. Here are the results: 1. I configured Microsoft Certificate services to act as a standalone subordinate CA. A request for a CA certificate was generated. 2. I sent this request as a request for a Web server SSL certificate. 3. The Verisign test CA did not complain upon processing this request. It generated and signed the certificate. 4. I installed the certificate to MS Certificate Services and start the CA service. 5. From now on, I effectively have a signed CA certification. Any generated signatures from this point will have a certification path leading to the root CA. I only used Verisign test root CA in my test. The steps above can probably be repeated using Verisign production root CA, resulting the situation whereas I'm becoming a subordinate CA to Verisign trusted root without letting them know. Thawte test CA also signs the CA certificate submitted as a Web server certificate, but MS Certificate Server refuses to install the certificate as the CA certificate. The difference between Verisign and Thawte certificates is the Basic Constraints field. If I would be using OpenSSL tools instead of MS Certificate Server, I can probably disable all the checks against the CA certificate. Any thoughts? Do you think it's a security problem? Regards, S. Pidgorny, MS MVP, MCSE DISCLAIMER: Opinions expressed by me is not necessarily my employer's, it is not intended to be formal and accurate. Neither myself nor my employer assume any responsibility for any consequences. P.S. Many thanks to Dave Ahmad for the discussion leading to this post.
smime.p7s
Description: application/pkcs7-signature
