On Thu, 24 Mar 2016, Stephen Kent wrote:
The attack requires that each of the colluding CAs issues a certificate for a targeted Subject (e.g., web site). These two (EE) certificates are identical, hence the use of the term “doppelganger”; they contain the same name, public key, serial number, etc. Only one of the malicious CAs logs the bogus certificate and acquires an SCT for it.
I don't fully understand your description of the attack. If the certificates are doppelgangers, wouldn't that mean that they cannot have AIA's ? Otherwise at least one CA would be using an "unusual" AIA revocation location that monitors would detect.
The logged bogus certificate can be detected by a Monitor (third party or self), that is observing the log(s) to which the certificate was posted. Thus the detection aspect of CT still works with regard to this (bogus) certificate. When this certificate is detected, the CA that logged the certificate might choose to revoke it, i.e., place it on a CRL or create an OCSP response for it. However, a browser checking a CRL or OCSP response may not match this revocation status data against the doppelganger certificate.
So either the EE-certificates have different AIA's and are not doppelgangers, or they would have the same AIA's and a browser would always find the matching CRL/OCSP responses? Or the EE-certs cannot contain AIA revocation information (which in itself should be unusual enough for monitors to pick up) My understanding is that a lot of code (eg NSS) ignores AIA revocation information specified on the Root CA's, but do check them on the intermediate CA's and EE-certs, so I guess the attack can work if the EE-cert has no AIA but the intermediate CA's do? But I guess it would also be odd for an intermediate CA with AIA revocation on it, to issue EE-certifications with no AIA revocation information in it? Paul _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
