A mighty fortress is our PKI, Part II

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jul 28 12:23:52 EDT 2010


Nicolas Williams <Nicolas.Williams at oracle.com> writes:

>Sorry, but this is wrong.  The OCSP protocol itself really is an online
>certificate status protocol.  

It's not an online certificate status protocol because it can provide neither
a yes or a no response to a query about the validity of a certificate.

(For an online status protocol I want to be able to submit a cert and get back
a straight valid/not valid response, exactly as I can for credit cards with
their authorised/declined response.  Banks were doing this twenty years ago
with creaky mainframes over X.25 and (quite probably) wet bits of string, but
we still can't do this today with multicore CPUs and gigabit links if we're
using OCSP).

>Responder implementations may well be based on checking CRLs, but they aren't
>required to be.

They may be, or they may not be, but you as a relying party have no way of 
telling.  OCSP covers not only the three incompatible business models of the 
different authors' employers but, for good measure, an extra "anything else 
you may care to do" option if the first three aren't enough.  A decade after 
it was published, PKI experts are still arguing over what various bits of the 
OCSP spec actually mean (the PKIX list has only just gone through yet another 
round of this... *ten years* later and domain experts still can't agree on how 
it's supposed to work).  So given the schizophrenic nature of the RFC you can 
easily claim "but you can do X" because chances are if you read it just right 
you probably can.  Unfortunately this doesn't give a relying party much to 
rely on, because they have absolutely no idea what they're getting, it could 
be anything from a live database query to a value from a month-old CRL to 
(thanks to the removal of nonces from the protocol a few years ago) an 
attacker replaying an old "not-revoked" value (although I don't know why 
they'd even bother with that, given the state of revocation checking in client 
software).

In any event though since OCSP can't say yes or no, it doesn't matter whether 
the response is coming from a live database or a month-old CRL, since it's 
still a fully CRL-bug-compatible blacklist I can trivially avoid it with a 
manufactured-cert attack.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list