Bugtraq mailing list archives
Verisign certificates problem
From: "Sinclair, Roy" <RCSinclair () CESSNA TEXTRON COM>
Date: Fri, 23 Mar 2001 09:30:54 -0600
Some information regarding Verisign Certificates that has come out of this fiasco is quite disturbing but has been under reported and may have been missed by many in the security business. Pay close attention to this paragraph from the Frequently Asked Questions part of http://www.microsoft.com/technet/security/bulletin/MS01-017.asp: "The update is needed because of a characteristic of VeriSign code-signing certificates. Every certificate issuer periodically generates a Certificate Revocation List (CRL), which lists all the certificates that should be considered invalid. A field in every certificate should indicate the CRL Distribution Point (CDP) - the location from which the CRL can be obtained. The problem is that VeriSign code-signing certificates leave the CDP information blank. As a result, even though VeriSign has added these two certificates to its current CRL, it's not possible for systems to automatically download and check it. " The first question I have after seeing that is how many of the rest of the 500,000 certificates that Verisign says they have issued also do not have this CRL Distribution Point field properly filled in. In the lack of any information to the contrary I would hazard to guess that it's probably that none of the 500,000 certificates issued by Verisign have supplied the information that should be in this field. If this is truly the case then we have yet another problem of much wider scope than the improper issuance of two certificates, there are a great number of valid certificates which could be stolen or misused and even if Verisign were to add them to their CRL the certificates themselves don't point to the CRL so they won't be properly rejected. Two things need to be done, one is that software which checks certificates must be changed to warn users that certificates lacking a CRL are much more suspect and Verisign needs to re-place all certificates that currently lack this critical information with new certificates that have this field properly filled in. Additional questions that come to mind is how many other certifying agencies have also failed to fill in the information in this field and what percentage of the certificates being used today are unverifiable?
Current thread:
- Verisign certificates problem Sinclair, Roy (Mar 23)
- CRLs (was Re: Verisign certificates problem j eric townsend (Mar 25)
- Re: CRLs (was Re: Verisign certificates problem Patrick Patterson (Mar 26)
- <Possible follow-ups>
- Re: Verisign certificates problem Elias Levy (Mar 24)
- Re: Verisign certificates problem Peter Gutmann (Mar 25)
- Re: Verisign certificates problem Peter Gutmann (Mar 25)
- Re: Verisign certificates problem Ogle Ron (Rennes) (Mar 26)
- Re: Verisign certificates problem Michael Reilly (Mar 27)
- Re: Verisign certificates problem Wham Bang (Mar 27)
- CRLs (was Re: Verisign certificates problem j eric townsend (Mar 25)