Closed Bug 684747 Opened 13 years ago Closed 13 years ago

Dutch govt and diginotar refuse to revoke compromised CA certs via OCSP

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 683449

People

(Reporter: ebosman, Unassigned)

Details

Attachments

(1 file)

Fox-IT report diginotar
407.09 KB, application/pdf
Details 
User Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110830 Ubuntu/10.10 (maverick) Firefox/3.6.21
Build ID: 20110830211536



Actual results:

Dutch minister Donner stated in a press conference on Dutch TV that
he has convinced Microsoft to delay windows updates (probably only to
installations in the Netherlands.) In order to reduce the damage caused
by revoking the Diginotar CAs on automated systems.

Based on this I conclude that no OCSP updates will be generated revoking
the compromised CA certs. This means the Dutch govt. has made a trade-off
preferring not causing damage to Dutch automated systems over the security
of Iranian citizens.


Expected results:

I propose that if the Dutch govt. does not do all it can to prevent MitM attacks,
it should be considered not trustworthy and that its Staat Der Nederlanden Root
CA should be purged from the root CA list.
OS: Linux → All
Hardware: x86_64 → All
The press conference in question (Dutch)

http://pizzadoos.com/donner-persco-20110905.asf

(I understand that OCSP can be replayed (and blocked
by default.) But it apparently is/wasn't and why
make it easier for the attacker than necessary.)
The exemptions to allow the Staat der Nederlanden root have already been removed and will no longer be trusted in the next updates for Firefox 3.6.x, 6.0.x, and later.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
This proposal is actually not a duplicate, with implications way beyond the currently planned updates. 

Current updates treat only those certificates as revoked that have CN=DigiNotar .
Firefox 6.01 had an exemption for CN=DigiNotar combined with "CN=Staat der Nederlanden CA" 

The proposal at hand is to purge whole "Staat der Nederlanden CA" as a root, apparently because they behave irresponsible by not revoking the DigiNotar CA by OCSP. 

The argument would be that currently the owners of "Staat der Nederlanden CA" (NL government) relies on Mozilla to deal with DigiNotar and convince Microsoft to delay their patch with one week, while they should be busy revoking Diginotar as a CA.
Now it seems that some of my assumptions were false.
From a previously unpublished report, it now appears
that the Diginotar OCSP now works with a whitelist.

If this is the case, this would also stop unknown
false certs.
the report in question
Status: RESOLVED → VERIFIED
It seems the government does not believe in OCSP.
The new certificates, e.g. for applicaties.digid.nl, were issued without OCSP URL.

(interestingly enough, on sunday when the new certificate was deployed there at first was a certificate with OCSP URL that pointed to a nonexisting server, later the certificate was changed again and has no OCSP URL anymore)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: