On Mon, 6 Jun 2016, Andrew Ayer wrote:
This enables the following attack:
1. A CA issues a legitimate certificate for www1.example.com and logs a
pre-certificate for ?.example.com. A monitor for example.com knows the
pre-certificate is legitimate because it matches a known certificate
for www1.example.com.
2. The CA misbehaves and issues an unauthorized certificate for
www2.example.com which, except for the DNS name, has exactly the same
details (including serial number and public key) as the certificate for
www1.example.com. The CA does not log a certificate or pre-certificate.
3. An attacker serves the rogue certificate for www2.example.com along
with the SCT for the ?.example.com pre-certificate. TLS clients accept
it because the TBSCertificate that is reconstructed from the certificate
matches the TBSCertificate of the pre-certificate. Monitors have no
idea that there is a rogue certificate for www2.example.com.
That means the attacker has the private key?
I guess when the second certificate would be logged, this would show up
as mis-issued, and possibly both certificates would get revoked?
Wouldn't that be the system working as intended?
Paul
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
