it gets worse -- Microsoft warns of hijacked certificates

Ed Gerck <egerck@nma.com> Thu, 22 March 2001 23:34 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA25839 for <pkix-archive@odin.ietf.org>; Thu, 22 Mar 2001 18:34:01 -0500 (EST)
Received: from localhost by above.proper.com (8.9.3/8.9.3) with SMTP id PAA04877; Thu, 22 Mar 2001 15:33:32 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Thu, 22 Mar 2001 15:33:29 -0800
Received: from janus.hosting4u.net (janus.hosting4u.net [209.15.2.37]) by above.proper.com (8.9.3/8.9.3) with SMTP id PAA04843 for <ietf-pkix@imc.org>; Thu, 22 Mar 2001 15:33:29 -0800 (PST)
Received: (qmail 1515 invoked from network); 22 Mar 2001 23:33:21 -0000
Received: from taurus.hosting4u.net (209.15.2.33) by mail-gate.hosting4u.net with SMTP; 22 Mar 2001 23:33:21 -0000
Received: from nma.com ([63.204.17.82]) by taurus.hosting4u.net ; Thu, 22 Mar 2001 17:33:19 -0600
Message-ID: <3ABA8BBC.25412B54@nma.com>
Date: Thu, 22 Mar 2001 15:33:16 -0800
From: Ed Gerck <egerck@nma.com>
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: it gets worse -- Microsoft warns of hijacked certificates
Content-Type: text/plain; charset=iso-8859-1
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
X-MIME-Autoconverted: from 8bit to quoted-printable by above.proper.com id PAA04877
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id SAA25839

 http://news.cnet.com/news/0-1003-200-5222484.html?tag=tp_pr

It gets worse. As many developers in PKI have pointed out
over more than 4 years (see www.mcg.org.br/certover.pdf),
even though CAs such as VeriSign periodically generate a Certificate
Revocation List (CRL), which lists all the certificates that should be
considered invalid, this does not work for several reasons paradoxically
built into the system. Why?

As Microsoft has ignored in all these years, but now proves as its own
medicine, one reason is that VeriSign certificates do not support what they
should comply with. In Microsoft's own words:

"A field in every certificate should indicate the CRL Distribution Point
(CDP) – the location from which the CRL can be obtained. The problem is
that VeriSign code-signing certificates leave the CDP information blank.
As a result, even though VeriSign has added these two certificates to
its current CRL, it’s not possible for systems to automatically download
and check it."

The solution is a software-patch. But, what certifies the software-patch?
Maybe the guys that did this mess could also get their patch certified,
which patch would then revoke the correct certificates and leave just the
rogue ones?

Cheers -- Ed Gerck