[cabfpub] Ballot - BR Response for non-issued certificates
Yngve N. Pettersen (Developer Opera Software ASA)
yngve at opera.com
Fri Jul 20 17:23:07 MST 2012
On Sat, 21 Jul 2012 01:09:11 +0200, Rick Andrews
<Rick_Andrews at symantec.com> wrote:
> While we agree with the "spirit" of this ballot, Symantec will probably
> vote against this, for these reasons:
> - In our opinion, this will have little practical effect
> because if an attacker subverts a CA and uses the CA's infrastructure to
> issue a fraudulent cert, that cert will have a valid serial number and
> will therefore have a "good" status (until the fraud is discovered). If
However, *without* this proposed requirement, he can hide his certificate,
including which sites are being attacked, and not risk being blocked at
With this proposed requirement, he will have to obtain greater control of
the CA, leaving more tracks, thus increasing the chance of early
discovery. With good and secure record-keeping and auditing it should be
possible to detect such certificates.
Based on current information, DigiNotar was able to revoke the
fraudulently issued certificates shortly after their issuance was
triggered by the attacker, *until* the attacker started corrupting the
logs and records of issued certificates. As a result the OCSP responses
were "good" for those hidden certificates.
If we had had a situation where this proposed requirement, in combination
with updates at the browsers and other clients, had been implemented, that
option would not have worked for the attacker, particularly if the clients
also refused to show sites where revocation lookup failed as secure
(disclosure: Opera require success for revocation checking to show a site
as secure). In such a scenario the attacker would have had to leave behind
information about his activities, leaving himself open to discovery.
This proposal should prevent another incident of the kind that happened
with DigiNotar, and it increases the likelihood of discovery in case of an
attack, because the attacker can no longer just hide his loot, he have to
leave behind much more information about what he's done.
> the attacker does not subvert the CA's infrastructure (instead mounts a
> hash collision attack, for example), s/he could easily choose to use an
> existing serial number and therefore get a "good" status (until the
Given current requirements, I suspect that if a collision attack is
practical (as it was for MD5 with linear serial numbers), then we actually
have a situation where the hashmethod, at least, need to be discarded for
a more secure method. Worst case, the CA certificates and all issued
certificates using the method will have to be revoked, because they can no
longer be trusted.
> fraud is discovered and the legitimate certificate is revoked). The
> motion will only help in the very limited case in which the attacker
> does not subvert the CA's infrastructure, and uses a non-existent serial
> - Any CA that uses a CRL-based OCSP responder product (and
> Symantec does, for a subset of our CAs) will be unable to comply until
> the vendor builds in that functionality (we think it's non-trivial) and
> the CA deploys it, or the CA replaces the CRL-based OCSP responder with
> one not based on CRLs. Neither option can be accomplished in 6 months;
> both options will probably take a year or more.
Given the new threat environment, I think that the CRL-based OCSP
responders are no longer suitable for providing secure status information.
> - The BRs currently treat CRLs almost the same as OCSP (Section
> 13.2.2 "Repository" essentially says that the CA must support OCSP and
> may support CRLs), and if a relying party uses CRLs instead of OCSP,
> they will interpret anything not on the CRL as "good". So this ballot
> will do nothing at all to help those relying parties.
At present most browser clients use OCSP (although admittedly Google
Chrome is moving away from online revocation checks) for end entity
certificates, while clients vary on what they use for intermediate CAs,
some use OCSP, others (e.g. Opera) currently use CRLs. And if multiple
stapling is implemented, then CRLs will become mostly a fallback options,
not the main source of revocation information for the client.
The main reason I never added OCSP for intermediate CAs in Opera was to
not add to the CAs' traffic load. If we can rely on not getting "good"
status for non-issued certificates, then perhaps it is time reconsider
that decision, and use OCSP for those certificates, too?
Relying parties that only rely on CRLs, particularly for end entity
certificates, should move to OCSP, particularly if they can rely on "good"
meaning "yes, it was issued by us, and we know what the certificate says".
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Tim Moses
> Sent: Friday, July 20, 2012 11:41 AM
> To: CABFPub
> Subject: [cabfpub] Ballot - BR Response for non-issued certificates
> Yngve Pettersen made the following motion and Ben Wilson and Carsten
> Dahlenkamp endorsed it:
> ... Motion begins....
> Effective 1 Feb 2013
> ... Erratum begins ...
> Insert a new section at the end of section 13.2 of the Baseline
> Requirements with the following heading and text:
> "13.2.6 Response for non-issued certificates
> If the OCSP responder receives a request for status of a certificate
> that has not been issued, then the responder MUST NOT respond with a
> "good" status. The CA SHOULD monitor the responder for such requests as
> part of its security response procedures."
> ... Erratum ends ...
> The ballot review period comes into effect at 21:00 UTC on 19 July 2012
> and will close at 21:00 UTC on 26 July 2012. Unless the motion is
> withdrawn during the review period, the voting period will start
> immediately thereafter and will close at 21:00 UTC on 2 August 2012.
> Votes must be cast by posting an on-list reply to this thread.
> ... Motions ends ...
> A vote in favor of the motion must indicate a clear 'yes' in the
> A vote against must indicate a clear 'no' in the response. A vote to
> abstain must indicate a clear 'abstain' in the response. Unclear
> responses will not be counted. The latest vote received from any
> representative of a voting member before the close of the voting period
> will be counted.
> Voting members are listed here:
> with the addition of
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and one half or more of the votes
> cast by members in the browser category must be in favour. Also, at
> least seven members must participate in the ballot, either by voting in
> favour, voting against or abstaining.
> T: +1 613 270 3183
Yngve N. Pettersen
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 23 69 32 60 Fax: +47 23 69 24 01
More information about the Public