[Cryptography] Go home PKI, you're drunk

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Apr 13 05:51:37 EDT 2015 

It was recently pointed out on the Mozilla security list [0] that a particular
large corporation's web site was failing cert validation in Firefox because
there were spaces embedded in the FQDNs in the cert (alongside other problems
with cert-holder identification).  So I grabbed a copy of the cert chain from
one of the sites, postofficeshop.de, and found, among other things...

1018   45: SEQUENCE {
1020   37:   OBJECT IDENTIFIER '1 3 6 1 4 1 311 21 8 3675690 6234259 10436751 12227305 62135 141 959321 10252252'
         :     Error: OID contains random garbage.
1059    1:   INTEGER 100
1062    1:   INTEGER 6
         :   }

(that's one of Microsoft's "encode random noise and call it an OID), and then:

1209   68: SEQUENCE {
1211    9:   OBJECT IDENTIFIER
         :     sMIMECapabilities (1 2 840 113549 1 9 15)

for what is explicitly a TLS server cert:

1074   20: SEQUENCE {
1076    8:   OBJECT IDENTIFIER
         :     clientAuth (1 3 6 1 5 5 7 3 2)
1086    8:   OBJECT IDENTIFIER
         :     serverAuth (1 3 6 1 5 5 7 3 1)
         :   }
         : }

Oh yeah, and the S/MIME implementation that their TLS server is supposed to 
run advertises:

1226   14: SEQUENCE {
1228    8:   OBJECT IDENTIFIER rc2CBC (1 2 840 113549 3 2)
1238    2:   INTEGER 128
         :   }
1242   14: SEQUENCE {
1244    8:   OBJECT IDENTIFIER rc4 (1 2 840 113549 3 4)
1254    2:   INTEGER 128
         :   }
1258    7: SEQUENCE {
1260    5:   OBJECT IDENTIFIER desCBC (1 3 14 3 2 7)
         :   }

because someone has to keep all those 1970s and 1980s ciphers alive somewhere.

Then the next cert up the chain (an intermediate CA) has:

 710 2683: SEQUENCE {
 714    3:   OBJECT IDENTIFIER nameConstraints (2 5 29 30)
 719 2674:   OCTET STRING, encapsulates {
 723 2670:     SEQUENCE {
 727 2616:       [0] {
 731   17:         SEQUENCE {
 733   15:           [2] 'adressdialog.de'
         :           }
 750   20:         SEQUENCE {
 752   18:           [2] 'adress-research.de'
         :           }
[on and on for hundreds of lines]

and:

3347   48: [1] {
3349   10:   SEQUENCE {
3351    8:     [7] 00 00 00 00 00 00 00 00
         :     }
3361   34:   SEQUENCE {
3363   32:     [7]
         :       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         :       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         :     }
         :   }
         : }

The recent CNNIC discussion mentioned the fact that trusted CAs shouldn't be
allowed to issue unconstrained certs for intermediate CAs.  Perhaps we need to
introduce requirements for drug-testing intermediates as well.

(I should note here that there's nothing in the PKI specs that prohibits any 
of the above, so that putting an MPEG of a cat into a certificate is perfectly 
standards-compliant [1].  There's also no law specifically saying that you're 
not allowed to stagger around in public complaining that the sun is too loud 
and warning people about the ice weasels [2], but that doesn't mean that it's 
not a sign that something's gone seriously wrong somewhere).

Peter.

[0] http://thread.gmane.org/gmane.comp.mozilla.devel.security.policy/1893
[1] https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
[2] https://www.youtube.com/watch?v=JE37e1eK2mY#t=352

More information about the cryptography mailing list