A mighty fortress is our PKI, Part II
Paul Tiemann
paul.tiemann.usenet at gmail.com
Wed Jul 28 16:30:32 EDT 2010
On Jul 28, 2010, at 10:23 AM, Peter Gutmann wrote:
> Nicolas Williams <Nicolas.Williams at oracle.com> writes:
>
>> Sorry, but this is wrong. The OCSP protocol itself really is an online
>> certificate status protocol.
>
> It's not an online certificate status protocol because it can provide neither
> a yes or a no response to a query about the validity of a certificate.
>
> (For an online status protocol I want to be able to submit a cert and get back
> a straight valid/not valid response, exactly as I can for credit cards with
> their authorised/declined response.
It might not be hard to determine whose OCSP responders are CRL based and whose are database backed instead.
> Banks were doing this twenty years ago
> with creaky mainframes over X.25 and (quite probably) wet bits of string, but
> we still can't do this today with multicore CPUs and gigabit links if we're
> using OCSP).
Yes we can, and some actually do.
>> Responder implementations may well be based on checking CRLs, but they aren't
>> required to be.
>
> They may be, or they may not be, but you as a relying party have no way of
> telling.
Even the most savvy of relying parties probably has no way of caring. They want to know when something is positively revoked, and having a definitive Yes is a nice distinction, but having a definitive Not-Revoked appears to be good enough for most.
> In any event though since OCSP can't say yes or no, it doesn't matter whether
> the response is coming from a live database or a month-old CRL, since it's
> still a fully CRL-bug-compatible blacklist I can trivially avoid it with a
> manufactured-cert attack.
You're right: a manufactured-cert attack is going to really hurt that kind of an OCSP responder.
Is a manufactured-cert a trivial thing to create?
Paul Tiemann
(DigiCert)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list