On 09/15/2011 09:17 AM, Fabian Hugelshofer wrote: > You probably all have heard about the compromise of the DigiNotar CA > [1]. This CA operated as intermediate certificate authority in several > trust chains. One of this chains is the "Staat der Nederlanden Root CA". > This CA has not revoked the DigiNotar intermediate CAs until today. > > Popular Browsers (at least Mozilla, IE, Chrome) have implemented > blacklists that block certificates that are known to be fraudulent or > are signed by a compromised CA. Chrome blocks certain serial numbers of > server certificates and certain hashes of CA certificates [2]. QT blocks > certain combinations of serial numbers and common names [3] > > As I understand it is currently not possible to protect users of Squid > with SSL bump from certificates that have been issued by the DigiNotar > intermediate CA in the Staat der Nederlanden hierarchy (as long as this > root is not removed from the list of trusted CAs). > > Are there already plans to implement similar blacklists or ACLs in Squid > similar to what most browsers did? > > How would you implement such a blacklist? Would you introduce a new ACL > that can be used to black- or possibly whitelist certain certificates?
Can we rely on OpenSSL library and its Certificate Revocation Lists support? Have you tried using CRL for this purpose? I see Squid code that loads CRLs but I have not tested it. > What would you use to identify the certificates? > - Serial number? > - Serial number and common name? > - Serial number and issuer? > - Fingerprint (might not be available in each case)? I hope somebody already answered these important questions in general CRL context! Thank you, Alex. > PS: I am not subscribed to the list. Please include me as CC in your reply. > > > [1] > http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/ > > [2] > http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate.cc?revision=99534&view=markup > > [3] > http://qt.nokia.com/files/qt-patches/blacklist-diginotar-and-comodo-certs.diff >
