Group, I'm referring to the certificate validation issues that recently made huge press: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0862 I have seen all sorts of apocalyptic reports and anti-MS propaganda regarding the issue, but in-depth technical analysis can't be easily found. When I was doing my research quite a while ago (http://online.securityfocus.com/archive/1/273101) I have noticed that some certificates do not have Basic Constraints or any other optional fields in the X.509 certificate. One example is the certificate used on Steve Gibson's GRC Web site (https://grc.com). Those are V1 certs. The problem being, if there's no Basic Constraints or Enhanced Key Usage field on the certificate in the middle of the certification chain, there's no mean for the client software to verify if a web server SSL certificate was used as a CA certificate. Therefore, all platforms are vulnerable to identity spoofing. I wouldn't consider that as a huge problem since all Internet PKI is subject to strict contractual agreements and violating those might well be a criminal offence. However, I'd like to know your opinion. Regards, S. Pidgorny, MS MVP, MCSE/SCSA DISCLAIMER: Opinions expressed by me is not necessarily my employer's, it is not intended to be formal and accurate. Neither myself nor my employer assume any responsibility for any consequences.
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 17:11:53 PDT