Full Disclosure mailing list archives
Re: Expired certificate
From: Dan Kaminsky <dan () doxpara com>
Date: Sat, 24 Jul 2010 19:10:24 -0400
People may neglect to revoke certificates that have become invalid (e.g. a personal certificate for someone who has deceased).
And what do you think is doing revocation checking? Hint: Even fewer things than are doing chain validation. The problem is a conflict between security and convenience.
The problem is that we assume that security doesn't have to be convenient.
Ironically, online communication allows a rather elegant solution: you can have a hierarchy of certificates starting with short-lived certs for routine operation issued online by the lowest level of intermediate CAs with each level offering less automation to reduce exposure and longer lifetimes to make up for lost convenience.
Intermediate certs? You mean those god-mode can-sign-anything certs that are sold for a pile of money, a wink, and a smile?
Unfortunately, this approach (while being quite feasible from the technical POV) appears to be incompatible with the business model of existing CAs.
Everyone loves blaming the business guys. Nope. When it comes to X.509, we nerds blew it.If you have got 500 servers that need renewed certificates then you have. got 500 server that need patches installed, not to mention other routine
admin tasks. If you need 8 man hours per server to renew one certificate, how many man hours per server do you need to deploy one patch?
Windows Update / BigFix, move on with your life. Many (if not most) CAs let you renew a certificate two or three months
before its expiration and give you the remaining time back. One who needs to renew one certificate every other day can do it once in 2 or 3 months in batches of up to 30 or 45 renewals without losing anything.
Or, you could just have a small handful of servers with keys and leave the rest without. Which is precisely what we see. See, here's the problem: You're all talking about what *could* be the case. I'm telling what *is* the case. Expiration is one of a number of serious and genuinely unique operational hazards in X.509. We started this conversation discussing the situation of a CA gov operator who hadn't rolled their certs. Some people were surprised. The reality is, it's amazing there was a cert at all.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Expired certificate, (continued)
- Re: Expired certificate Pavel Kankovsky (Jul 18)
- Re: Expired certificate Marsh Ray (Jul 20)
- Re: Expired certificate Dan Kaminsky (Jul 22)
- Re: Expired certificate Marsh Ray (Jul 22)
- Re: Expired certificate Dan Kaminsky (Jul 22)
- Re: Expired certificate Marsh Ray (Jul 22)
- Re: Expired certificate bk (Jul 23)
- Re: Expired certificate Meadow (Jul 23)
- Re: Expired certificate Marsh Ray (Jul 24)
- Re: Expired certificate Pavel Kankovsky (Jul 24)
- Re: Expired certificate Dan Kaminsky (Jul 24)
- Re: Expired certificate Dan Kaminsky (Jul 24)
- Re: Expired certificate Pavel Kankovsky (Jul 25)
- Re: Expired certificate Dan Kaminsky (Jul 25)
- Re: Expired certificate Marsh Ray (Jul 26)