Paul,
On Fri, 25 Mar 2016, Stephen Kent wrote:
If the certificates are doppelgangers, wouldn't that mean that they
cannot have AIA's ? Otherwise at least one CA would be using an
"unusual"
AIA revocation location that monitors would detect.
The doppelgangers could have AIAs, but they need not, and that is the
assumption I adopted here. In general it is in the interest of the
CAs to not put AIAs in these certs,
if the plan is to revoke one, but not the other. (Unless the CAs can
control which
revocation status info is accessible to targeted browser users, in
which case it doesn't
matter.)
I would hope that the CT ecosystem would see that if a CA always issues
with AIA in the EE-cert, and then it issues a cert where it does not,
that it would get flagged for a human to look at. Part of CT is keeping
an eye out on the CAs, and this clearly shows some unexpected behaviour
on one or two particular CA's for not including AIA's. It might not be
syntactically bogus, but hopefully something the clients and monitors
would keep an eye out for.
There is no text in any monitor description that calls for this, so it
may be unduly optimistic to assume such ;-). Also, if the CAs collude
they would be smart to never include an AIA extension, so as to avoid
drawing attention when an EE cert w/o such an extension is issued.
So it seems to me this attack is not very likely to succeed - or at
least would be a short-lived one with a guarantee of being detected.
So it comes with a big enigma problem.
I can't agree with your conclusion if it's based on the analysis above,
but I also can't predict how long such an attack might go undetected given
the many variables involved.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
