Bugtraq mailing list archives

Verisign certificates problem

From: "Sinclair, Roy" <RCSinclair () CESSNA TEXTRON COM>
Date: Fri, 23 Mar 2001 09:30:54 -0600

Some information regarding Verisign Certificates that has come out of this
fiasco is quite disturbing but has been under reported and may have been
missed by many in the security business.

Pay close attention to this paragraph from the Frequently Asked Questions
part of http://www.microsoft.com/technet/security/bulletin/MS01-017.asp:

"The update is needed because of a characteristic of VeriSign code-signing
certificates. Every certificate issuer periodically generates a Certificate
Revocation List (CRL), which lists all the certificates that should be
considered invalid. A field in every certificate should indicate the CRL
Distribution Point (CDP) - the location from which the CRL can be obtained.
The problem is that VeriSign code-signing certificates leave the CDP
information blank. As a result, even though VeriSign has added these two
certificates to its current CRL, it's not possible for systems to
automatically download and check it. "
The first question I have after seeing that is how many of the rest of the
500,000 certificates that Verisign says they have issued also do not have
this CRL Distribution Point field properly filled in.  In the lack of any
information to the contrary I would hazard to guess that it's probably that
none of the 500,000 certificates issued by Verisign have supplied the
information that should be in this field.  If this is truly the case then we
have yet another problem of much wider scope than the improper issuance of
two certificates, there are a great number of valid certificates which could
be stolen or misused and even if Verisign were to add them to their CRL the
certificates themselves don't point to the CRL so they won't be properly
rejected.
Two things need to be done, one is that software which checks certificates
must be changed to warn users that certificates lacking a CRL are much more
suspect and Verisign needs to re-place all certificates that currently lack
this critical information with new certificates that have this field
properly filled in.
Additional questions that come to mind is how many other certifying agencies
have also failed to fill in the information in this field and what
percentage of the certificates being used today are unverifiable?

Current thread:

Verisign certificates problem Sinclair, Roy (Mar 23)
- CRLs (was Re: Verisign certificates problem j eric townsend (Mar 25)
  - Re: CRLs (was Re: Verisign certificates problem Patrick Patterson (Mar 26)
- <Possible follow-ups>
- Re: Verisign certificates problem Elias Levy (Mar 24)
- Re: Verisign certificates problem Peter Gutmann (Mar 25)
- Re: Verisign certificates problem Peter Gutmann (Mar 25)
- Re: Verisign certificates problem Ogle Ron (Rennes) (Mar 26)
  - Re: Verisign certificates problem Michael Reilly (Mar 27)
- Re: Verisign certificates problem Wham Bang (Mar 27)