Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Eddy Nigg
On 09/19/2008 01:03 AM, Kyle Hamilton: > Mary and Mallory may not be the same control. > > Mary has a site with a cert with AIA. Mallory can take control over > that location for the AIA, without Mary being able to do a thing to > stop it. > Mary knows that she has a cert, because she installed i

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Kyle Hamilton
Mary and Mallory may not be the same control. Mary has a site with a cert with AIA. Mallory can take control over that location for the AIA, without Mary being able to do a thing to stop it. -Kyle H On Thu, Sep 18, 2008 at 2:02 PM, Eddy Nigg <[EMAIL PROTECTED]> wrote: > On 09/18/2008 11:50 PM,

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Eddy Nigg
On 09/18/2008 11:50 PM, Kyle Hamilton: > Client Alice connects to server Mary. Mary sends a certificate with > an AIA, no chain. Cute :-) > Mary happens to be a honeypot. > > Alice looks up AIA, makes connection to Mallory to retrieve the certificate. > > Mallory is looking for people who are l

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Kyle Hamilton
Attack scenario is an information-leakage vulnerability. Client Alice connects to server Mary. Mary sends a certificate with an AIA, no chain. Mary happens to be a honeypot. Alice looks up AIA, makes connection to Mallory to retrieve the certificate. Mallory is looking for people who are looki

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Eddy Nigg
On 09/18/2008 10:29 PM, Nelson B Bolyard: > > After verifying that the signatures are valid in the chain, all the > way to a trusted root, then yes. And what exactly prevents you from verifying the signatures of the received chain (by whatever means you constructed the chain) all the way to a tr

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Nelson B Bolyard
Kyle Hamilton wrote, On 2008-09-18 11:48: > There's another, more pressing issue: > > If there are buffer overflows in ASN.1 parsing (there have been in at > the least OpenSSL and Microsoft's), anyone who can provide a > certificate that points to an AIA that ultimately wouldn't be trusted > could

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Nelson B Bolyard
Eddy Nigg wrote, On 2008-09-18 03:43: > On 09/18/2008 07:22 AM, Nelson B Bolyard: >> In the case of AIA cert fetching, we have a cert for which we have no >> issuer cert. We cannot know that the the cert we are trying to validate >> was signed by a real trusted CA. > > But you trust the CA certif

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Eddy Nigg
On 09/18/2008 09:48 PM, Kyle Hamilton: > There's another, more pressing issue: > > If there are buffer overflows in ASN.1 parsing (there have been in at > the least OpenSSL and Microsoft's), anyone who can provide a > certificate that points to an AIA that ultimately wouldn't be trusted > could pro

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Kyle Hamilton
There's another, more pressing issue: If there are buffer overflows in ASN.1 parsing (there have been in at the least OpenSSL and Microsoft's), anyone who can provide a certificate that points to an AIA that ultimately wouldn't be trusted could provide malicious data that could compromise the issu

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread David E. Ross
On 9/17/2008 4:52 PM, Eddy Nigg wrote: > On 09/18/2008 02:05 AM, David E. Ross: >> Note that this is not a unique situation. See bug #390835 at >> . Unfortunately, >> Internet Explorer (IE) works around this situation by searching the >> Intern

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Eddy Nigg
On 09/18/2008 01:43 PM, Eddy Nigg: >> Even if its issuer name matches that of >> a known and trusted CA, it may be a cert crafted by an attacker > I wanted to add here, that if this were true, than this would apply for any certificate, including server certs, CA certs and anything in the path. I

Re: enabling crypto hardware for NSS

2008-09-18 Thread David Sadler
You were correct the degbug version was not installed. I rebuilt with debug. I did the following export NSPR_LOG_MODULES=nss_mod_log:4 export NSS_DEBUG_PKCS11_MODULE=opencryptoki export NSPR_LOG_FILE=nss_openCryptoki.log then see this on apache2 startup apache2ctl start [Thu Sep 18 10:02:12 2008]

Re: About the Cybertrust Educational CA certificate

2008-09-18 Thread Eddy Nigg
On 09/18/2008 07:22 AM, Nelson B Bolyard: > In the case of AIA cert fetching, we have a cert for which we have no > issuer cert. We cannot know that the the cert we are trying to validate > was signed by a real trusted CA. But you trust the CA certificates the server send to you, do you? > Even