Verisign CRL single point of failure

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Jan 9 21:16:27 EST 2004


Rich Salz <rsalz at datapower.com> writes:

>Can someone explain to me why the expiring of a certificate causes new
>massive CRL queries?

Here's the reply straight from Verisign:

-- Snip --

We wanted to pass on a notification that we have determined what we feel is
the root cause of the CRL outage issue. It appears that at midnight GMT (4pm
PST) on January 7, 2004, VeriSign experienced a sudden and dramatic increase
in the number of requests by Windows-based clients to download a certificate
revocation list (CRL). The CRL is a file which confirms the validity status of
a set of certificates, and is used by applications and users to determine
whether a particular certificate has been revoked between the time it was
issued and the time it will expire. The CRL in question was for a code-signing
application.

VeriSign normally serves up several million CRLs per hour. These CRLs
typically have one- to two-week validity periods, and client applications
using CRLs will check for an update as the CRL expires. The Code Signing CRL
was supplied to a large number of Windows clients. When that CRL expired,
those clients simultaneously requested a particularly large CRL file,
resulting in an eight-fold increase in traffic at the site crl.verisign.com,
where VeriSign hosts all our CRLs. As a result, As a result, Windows-based
browsers requesting status of certain server certificates have experienced
intermittent delays.

VeriSign has increased its capacity to handle these requests by 10 fold in the
past 8 hours. As the particular code-signing CRL file is no longer a
dynamically changing, there will be no need for clients, once they have
downloaded this file, to request a new version of this particular CRL. While
this does not represent a security risk, it may have represented a performance
degradation for some users. VeriSign regrets the inconvenience caused to
customers, and has implemented procedures both internally, and with our
partners, to ensure that this problem does not reoccur. Please note that this
problem is in no way related to the Intermediate CA expiration issue discussed
on our site at <
http://www.verisign.com/support/vendors/exp-gsid-ssl.html?sl=070807>. Although
the expiration dates are the same, it is strictly a coincidence in timing.

-- Snip --

ObComment again: Ahh, the wonders of doing an online CRL fetch that feeds you
  information that's two weeks out of date.  I'm not sure what the "no longer
  dynamically changing" means, I assume they've made it even worse by giving
  it a much larger expiry period, so your online check gives you the status
  from last year instead of last week.

Peter.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list