Verisign CRL single point of failure
t.c.jones at att.net
t.c.jones at att.net
Fri Jan 9 22:19:05 EST 2004
Verisign incorrectly built the new certificate causing every SSL access on IE 5.x to request a
new CRL (700k) on every single SSL access. This has been fixed, a new udated cert is
available and the CRL storm is abating. See the versign site for more details on what they did to
fix the problem, but nothing of course on what they did wrong.
Note that two separte certs expired at the same time so there were two competing DOS attacks
simultaneously.
hth ..tom
> Can someone explain to me why the expiring of a certificate causes new
> massive CRL queries?
> /r$
>
> --
> Rich Salz, Chief Security Architect
> DataPower Technology http://www.datapower.com
> XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
> XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list