Bugtraq mailing list archives
Re: Verisign certificates problem
From: Peter Gutmann <pgut001 () cs auckland ac nz>
Date: Sun, 25 Mar 2001 23:08:18 -0700
"Sinclair, Roy" <RCSinclair () CESSNA TEXTRON COM> writes:
Some information regarding Verisign Certificates that has come out of this fiasco is quite disturbing but has been under reported and may have been missed by many in the security business. Pay close attention to this paragraph from the Frequently Asked Questions part of http://www.microsoft.com/technet/security/bulletin/MS01-017.asp: "The update is needed because of a characteristic of VeriSign code-signing certificates. Every certificate issuer periodically generates a Certificate Revocation List (CRL), which lists all the certificates that should be considered invalid. A field in every certificate should indicate the CRL Distribution Point (CDP) - the location from which the CRL can be obtained. The problem is that VeriSign code-signing certificates leave the CDP information blank. As a result, even though VeriSign has added these two certificates to its current CRL, it's not possible for systems to automatically download and check it. "
I really have to jump in to correct this, I suspect Verisign won't be able to say anything because they don't want to get into a mudslinging match with MS, but blaming this part of the mess on Verisign isn't right (they shouldn't have issued the certs, sure, but the lack of revocation handling isn't a Verisign problem, if anything it's a Microsoft screwup). First of all, CRLDP is an optional extension, which means you can include it or not include it (most CAs leave it out). Claiming that Verisign are somehow at fault because they don't include this extension is incorrect. Secondly, even if they had included it, it wouldn't have done any good. The revocation checking in MSIE is handled by an add-on DLL called VSREVOKE.DLL. This has some random URL at Verisign hardcoded into it. If you go into MSIE and dive down into some obscure menu and enable revocation checking (it's disabled by default), what'll happen is that it'll go to the hardcoded address, find there's nothing there, eventually time out, and process the cert anyway. The only effect of enabling revocation checking is that every time MSIE sees a cert, it stalls for about a minute before it continues as if nothing was wrong (this was for IE4, maybe they've finally fixed it in 5, but that won't help the huge number of uses who get IE4 pre-installed and never change their machine configuration). Therefore even if Verisign had included CRLDP's, MSIE will ignore them by default, and if you can figure out how to enable processing would get it wrong.
Even if Verisign were to add them to their CRL the certificates themselves don't point to the CRL so they won't be properly rejected.
Even if Verisign were to add them to their CRL, it wouldn't help you if you were using Microsoft software. (Rant: As a company which has the most broken certificate processing software around - using the list in the X.509 style guide as a basis, they have almost as many implementation errors as all other vendors combined - MS really aren't in any position to point fingers at others). Peter.
Current thread:
- Verisign certificates problem Sinclair, Roy (Mar 23)
- CRLs (was Re: Verisign certificates problem j eric townsend (Mar 25)
- Re: CRLs (was Re: Verisign certificates problem Patrick Patterson (Mar 26)
- <Possible follow-ups>
- Re: Verisign certificates problem Elias Levy (Mar 24)
- Re: Verisign certificates problem Peter Gutmann (Mar 25)
- Re: Verisign certificates problem Peter Gutmann (Mar 25)
- Re: Verisign certificates problem Ogle Ron (Rennes) (Mar 26)
- Re: Verisign certificates problem Michael Reilly (Mar 27)
- Re: Verisign certificates problem Wham Bang (Mar 27)
- CRLs (was Re: Verisign certificates problem j eric townsend (Mar 25)