[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)
Peter Williams
pwilliams at rapattoni.com
Fri Jan 2 18:37:24 UTC 2009
I wonder if the CCC-announcing team minted an Authorized Responder cert for the spoofed CA they introduced into the VeriSign Trust Network (or one of its sub brands).
I keep half expecting the next attack wave to be the deployment of the OCSP server, perhaps one that aggregates several CAs (even non VeriSign ones!)
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Peter Watkins
> Sent: Friday, January 02, 2009 9:10 AM
> To: Martin Paljak
> Cc: Martin Atkins; OpenID List
> Subject: Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
> implementations)
>
> On Fri, Jan 02, 2009 at 11:08:39AM +0200, Martin Paljak wrote:
>
> > In real life most end user software do not check for the status of a
> > certificate (CRL/OCSP)
>
> I suspect that claim is not true. IE7 on Vista and Firefox 3 default
> to using OCSP -- for instance, by the time I followed the recipe for
> the www.mozilla.com demo of the cert that never should've been issued,
> Firefox 3's OCSP check rejected it.
>
> > I second here the questions often raised about CA-s by Peter
> Williams,
> > but the community has managed to subtly ignore the topic. "If there
> is
> > a problem (which we don't believe there is) then this is for the PKI/
> > TLS/HTTPS guys to fix", "Just pay to a big company for your certs",
> > "Apparently we use whatever CA certificates Debian uses" are all
> signs
> > of delegating the problem somewhere else.
>
> And why not delegate? TLS is a bedrock security technology for current
> Web business -- from a simple Yahoo storefront to millionaires
> accessing
> their online brokerage accounts. A lot of business have a lot riding on
> TLS and https, and a lot of incentive to fix any problems. And we've
> seen
> them do just that. It's not perfect (I'm still peeved that Microsoft
> has
> effectively blocked attempts to give TLS RSA decent forward secrecy),
> but
> TLS is widely understood to be critically important, and people more
> influential than us, and smarter than me, are working on this stuff --
> the
> improved OCSP support in Firefox and IE7 being a good illustration.
>
> > In addition to "lets just do what everybody else is doing" OpenID
> > could provide additional mechanisms. I once suggested having a
> > separate configuration file and format for RP libraries to be able to
> > configure white/blacklists and OP certificates/CA-s checksums and
> > trust settings.
>
> Nothing is stopping any RP from doing that. Shoot, that's what
> Microsoft's
> HealthVault site has been doing for OpenID all along.
>
> -Peter
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list