Re: Verisign certificates problem

[Peter Gutmann <pgut001 () cs auckland ac nz>]

"Sinclair, Roy" <RCSinclair () CESSNA TEXTRON COM> writes:

> Some information regarding Verisign Certificates that has come out of this
> fiasco is quite disturbing but has been under reported and may have been
> missed by many in the security business.
>
> Pay close attention to this paragraph from the Frequently Asked Questions part
> of http://www.microsoft.com/technet/security/bulletin/MS01-017.asp:
>
> "The update is needed because of a characteristic of VeriSign code-signing
> certificates. Every certificate issuer periodically generates a Certificate
> Revocation List (CRL), which lists all the certificates that should be
> considered invalid. A field in every certificate should indicate the CRL
> Distribution Point (CDP) - the location from which the CRL can be obtained.
> The problem is that VeriSign code-signing certificates leave the CDP
> information blank. As a result, even though VeriSign has added these two
> certificates to its current CRL, it's not possible for systems to
> automatically download and check it. "

I really have to jump in to correct this, I suspect Verisign won't be able to
say anything because they don't want to get into a mudslinging match with MS,
but blaming this part of the mess on Verisign isn't right (they shouldn't have
issued the certs, sure, but the lack of revocation handling isn't a Verisign
problem, if anything it's a Microsoft screwup).

First of all, CRLDP is an optional extension, which means you can include it or
not include it (most CAs leave it out).  Claiming that Verisign are somehow
at fault because they don't include this extension is incorrect.

Secondly, even if they had included it, it wouldn't have done any good.  The
revocation checking in MSIE is handled by an add-on DLL called VSREVOKE.DLL.
This has some random URL at Verisign hardcoded into it.  If you go into MSIE
and dive down into some obscure menu and enable revocation checking (it's
disabled by default), what'll happen is that it'll go to the hardcoded address,
find there's nothing there, eventually time out, and process the cert anyway.
The only effect of enabling revocation checking is that every time MSIE sees a
cert, it stalls for about a minute before it continues as if nothing was wrong
(this was for IE4, maybe they've finally fixed it in 5, but that won't help the
huge number of uses who get IE4 pre-installed and never change their machine
configuration).

Therefore even if Verisign had included CRLDP's, MSIE will ignore them by
default, and if you can figure out how to enable processing would get it wrong.

> Even if Verisign were to add them to their CRL the certificates themselves
> don't point to the CRL so they won't be properly rejected.

Even if Verisign were to add them to their CRL, it wouldn't help you if you
were using Microsoft software.

(Rant: As a company which has the most broken certificate processing software
 around - using the list in the X.509 style guide as a basis, they have almost
 as many implementation errors as all other vendors combined - MS really aren't
 in any position to point fingers at others).

Peter.