Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Expired certificate

From: Dan Kaminsky <dan () doxpara com>
Date: Sat, 24 Jul 2010 19:10:24 -0400
People may neglect to revoke certificates that have become invalid (e.g.
a personal certificate for someone who has deceased).



And what do you think is doing revocation checking?

Hint:  Even fewer things than are doing chain validation.

The problem is a conflict between security and convenience.




The problem is that we assume that security doesn't have to be convenient.




Ironically, online communication allows a rather elegant solution: you can
have a hierarchy of certificates starting with short-lived certs for
routine operation issued online by the lowest level of intermediate CAs
with each level offering less automation to reduce exposure and longer
lifetimes to make up for lost convenience.



Intermediate certs?  You mean those god-mode can-sign-anything certs that
are sold for a pile of money, a wink, and a smile?




Unfortunately, this approach (while being quite feasible from the
technical POV) appears to be incompatible with the business model of
existing CAs.



Everyone loves blaming the business guys.  Nope.  When it comes to X.509, we
nerds blew it.If you have got 500 servers that need renewed certificates
then you have.

got 500 server that need patches installed, not to mention other routine

admin tasks. If you need 8 man hours per server to renew one certificate,
how many man hours per server do you need to deploy one patch?



Windows Update / BigFix, move on with your life.


Many (if not most) CAs let you renew a certificate two or three months

before its expiration and give you the remaining time back. One who needs
to renew one certificate every other day can do it once in 2 or 3 months
in batches of up to 30 or 45 renewals without losing anything.



Or, you could just have a small handful of servers with keys and leave the
rest without.  Which is precisely what we see.

See, here's the problem:  You're all talking about what *could* be the
case.  I'm telling what *is* the case.  Expiration is one of a number of
serious and genuinely unique operational hazards in X.509.  We started this
conversation discussing the situation of a CA gov operator who hadn't rolled
their certs.  Some people were surprised.

The reality is, it's amazing there was a cert at all.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: