[Cryptography] Go home PKI, you're drunk
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Apr 13 05:51:37 EDT 2015
It was recently pointed out on the Mozilla security list [0] that a particular
large corporation's web site was failing cert validation in Firefox because
there were spaces embedded in the FQDNs in the cert (alongside other problems
with cert-holder identification). So I grabbed a copy of the cert chain from
one of the sites, postofficeshop.de, and found, among other things...
1018 45: SEQUENCE {
1020 37: OBJECT IDENTIFIER '1 3 6 1 4 1 311 21 8 3675690 6234259 10436751 12227305 62135 141 959321 10252252'
: Error: OID contains random garbage.
1059 1: INTEGER 100
1062 1: INTEGER 6
: }
(that's one of Microsoft's "encode random noise and call it an OID), and then:
1209 68: SEQUENCE {
1211 9: OBJECT IDENTIFIER
: sMIMECapabilities (1 2 840 113549 1 9 15)
for what is explicitly a TLS server cert:
1074 20: SEQUENCE {
1076 8: OBJECT IDENTIFIER
: clientAuth (1 3 6 1 5 5 7 3 2)
1086 8: OBJECT IDENTIFIER
: serverAuth (1 3 6 1 5 5 7 3 1)
: }
: }
Oh yeah, and the S/MIME implementation that their TLS server is supposed to
run advertises:
1226 14: SEQUENCE {
1228 8: OBJECT IDENTIFIER rc2CBC (1 2 840 113549 3 2)
1238 2: INTEGER 128
: }
1242 14: SEQUENCE {
1244 8: OBJECT IDENTIFIER rc4 (1 2 840 113549 3 4)
1254 2: INTEGER 128
: }
1258 7: SEQUENCE {
1260 5: OBJECT IDENTIFIER desCBC (1 3 14 3 2 7)
: }
because someone has to keep all those 1970s and 1980s ciphers alive somewhere.
Then the next cert up the chain (an intermediate CA) has:
710 2683: SEQUENCE {
714 3: OBJECT IDENTIFIER nameConstraints (2 5 29 30)
719 2674: OCTET STRING, encapsulates {
723 2670: SEQUENCE {
727 2616: [0] {
731 17: SEQUENCE {
733 15: [2] 'adressdialog.de'
: }
750 20: SEQUENCE {
752 18: [2] 'adress-research.de'
: }
[on and on for hundreds of lines]
and:
3347 48: [1] {
3349 10: SEQUENCE {
3351 8: [7] 00 00 00 00 00 00 00 00
: }
3361 34: SEQUENCE {
3363 32: [7]
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: }
: }
: }
The recent CNNIC discussion mentioned the fact that trusted CAs shouldn't be
allowed to issue unconstrained certs for intermediate CAs. Perhaps we need to
introduce requirements for drug-testing intermediates as well.
(I should note here that there's nothing in the PKI specs that prohibits any
of the above, so that putting an MPEG of a cat into a certificate is perfectly
standards-compliant [1]. There's also no law specifically saying that you're
not allowed to stagger around in public complaining that the sun is too loud
and warning people about the ice weasels [2], but that doesn't mean that it's
not a sign that something's gone seriously wrong somewhere).
Peter.
[0] http://thread.gmane.org/gmane.comp.mozilla.devel.security.policy/1893
[1] https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
[2] https://www.youtube.com/watch?v=JE37e1eK2mY#t=352
More information about the cryptography
mailing list