it gets worse -- Microsoft warns of hijacked certificates
Ed Gerck <egerck@nma.com> Thu, 22 March 2001 23:34 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA25839 for <pkix-archive@odin.ietf.org>; Thu, 22 Mar 2001 18:34:01 -0500 (EST)
Received: from localhost by above.proper.com (8.9.3/8.9.3) with SMTP id PAA04877; Thu, 22 Mar 2001 15:33:32 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Thu, 22 Mar 2001 15:33:29 -0800
Received: from janus.hosting4u.net (janus.hosting4u.net [209.15.2.37]) by above.proper.com (8.9.3/8.9.3) with SMTP id PAA04843 for <ietf-pkix@imc.org>; Thu, 22 Mar 2001 15:33:29 -0800 (PST)
Received: (qmail 1515 invoked from network); 22 Mar 2001 23:33:21 -0000
Received: from taurus.hosting4u.net (209.15.2.33) by mail-gate.hosting4u.net with SMTP; 22 Mar 2001 23:33:21 -0000
Received: from nma.com ([63.204.17.82]) by taurus.hosting4u.net ; Thu, 22 Mar 2001 17:33:19 -0600
Message-ID: <3ABA8BBC.25412B54@nma.com>
Date: Thu, 22 Mar 2001 15:33:16 -0800
From: Ed Gerck <egerck@nma.com>
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: it gets worse -- Microsoft warns of hijacked certificates
Content-Type: text/plain; charset="iso-8859-1"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
X-MIME-Autoconverted: from 8bit to quoted-printable by above.proper.com id PAA04877
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id SAA25839
http://news.cnet.com/news/0-1003-200-5222484.html?tag=tp_pr It gets worse. As many developers in PKI have pointed out over more than 4 years (see www.mcg.org.br/certover.pdf), even though CAs such as VeriSign periodically generate a Certificate Revocation List (CRL), which lists all the certificates that should be considered invalid, this does not work for several reasons paradoxically built into the system. Why? As Microsoft has ignored in all these years, but now proves as its own medicine, one reason is that VeriSign certificates do not support what they should comply with. In Microsoft's own words: "A field in every certificate should indicate the CRL Distribution Point (CDP) the location from which the CRL can be obtained. The problem is that VeriSign code-signing certificates leave the CDP information blank. As a result, even though VeriSign has added these two certificates to its current CRL, its not possible for systems to automatically download and check it." The solution is a software-patch. But, what certifies the software-patch? Maybe the guys that did this mess could also get their patch certified, which patch would then revoke the correct certificates and leave just the rogue ones? Cheers -- Ed Gerck
- it gets worse -- Microsoft warns of hijacked cert… Ed Gerck
- Re: it gets worse -- Microsoft warns of hijacked … Michael Ströder