Re: "expired" CRL

Rich Salz Tue, 30 Dec 2003 11:29:57 -0800

> Well, make that hard choice: do you want to have your software fail
> when an up-to-date CRL is not available, or do you want to make your
> software susceptible to a denial-of-service attack on the CRL distro
> process?


Exactly.  Security is all about risk management.  Which is more likely
to happen -- a revocation of a compromised (or mis-issued) high-value key,
or nothing's happened (or other rationale) so the CA didn't get around to
issuing another CRL.

Those aren't static decision, either, and probably vary depending on
time of day, academic calendar, etc.

> These are the kind of hard questions (of the form "how much are you
> REALLY willing to pay for security?") that the horrible old men who
> task us cannot be bothered to consider.

:)

> > Gotcha. So it would be safe to assume that almost nobody uses CRLs since
> > none of the software I use that does SSL seems to worry about the
> > presence (or lack) of a CRL. Wonderful. That really inspires confidence.

In the general Internet, it's probably not so bad.  SSL is really only
used for data privacy, and US Law limits your exposure for CCard purchases
to $50.  So it's just not worth it for anyone to insist on or implement
stronger controls.

BTW, when VRSN erroneously issued MSFT certificate to non-MSFT employees,
part of the patch from MSFT was to hard-wire a CRL into IE.  "If a CRL
falls in the forest, does it make a sound?"

> > I'll just bump the nextUpdate field out and make sure that the CA is
> > keeping the CRL up-to-date.

The more valuable the certs, the more important timely it is to have
timely revocation.  The more valuable the certs, the harder it should be
to crank up the CA and sign certs.  Paradoxically, the more valuable
the certs, the easier it should be to crank up the CA and sign CRL's.
If you really care, have your CA issue a CRL-issuing-certs to someone else.
        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Re: "expired" CRL

Reply via email to