[Kurt, please CC me on your replies. The BTS' -subscribe functionality doesn't seem to be working] [CC'ing ubuntu sec, in case Kees or Jamie or whoever is taking care of the issue is also working on something to completely block DigiNotar]
On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote: > On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote: > > The only currently supported methods are OCSP and CRL, but none would do > > the trick in this case. > > I guess OCSP/CRL is only called for the top most certificate, and all > the CAs in the chain aren't checked in most applications. I thought > I read Entrust revoked their signature, and in theory that should > be enough. As long as the client becomes aware of that revocation, yes. DigiNotar's PKIOverheid CA also needs to be blocked. I don't remember reading any report of the gov already revoking it. > At least the openssl "verify" util has a "-crl_check", and > "-crl_check_all", but it doesn't do OCSP. Yes, there's X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL. OCSP can be checked with openssl ocsp, IIRC. > > I was thinking about hard-coding a check for CN=* DigiNotar * most likely > > in libcrypto's X.509 support, but so far my lack of knowledge of > > OpenSSL's internals has me a bit lost. > > Hard-coding it is suboptimal, but I think it is the only reasonable > > solution for the time being. We can't wait weeks or months for a better > > solution. > > > > What do you think about making such change? > > So you're basicly saying that X509_verify_cert() should give an > error in case it finds DigiNotar somewhere in the chain? > > I'm not opposed to such a change, but would like to see a better > option in the future. Yes. I will try to spend some time with a debugger later today to find the right place to implement such check. Or do you have any hint? (the cn validation functions didn't seem to be executed in one case I tried) Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org