Verisign's Certificate Revocation structure apparently was not designed to handle the load of large numbers of systems using crl.verisign.net. Verisign has introduced a 50% failure mechanism to gap the load on their servers. This is a side effect of the expiration of one of Verisign's Intermediate Root Certificates. Verisign has redirecting traffic to several RFC1918 addresses, which are not routable on the Internet but are frequently used in enterprise networks. It is possible Verisign has created a Denial of Service on Enterprise services using the same RFC1918 addresses as internal systems checking for crl.versign.net are redirected to other RFC1918 addresses. The consolidation of network power in a single company creates its own threat to the critical infrastructure when a single certificate expires instead of being randomly distributed among several different organizations.
: The consolidation of network power in a single company creates : its own threat to the critical infrastructure when a single : certificate expires instead of being randomly distributed among : several different organizations. Boy-o-boy that's fundamental wrt to the internet... scott
The consolidation of network power in a single company creates its own threat to the critical infrastructure when a single certificate expires instead of being randomly distributed among several different organizations.
I'm not sure whats involved in getting your own root certs added to browser/OS distributions but theres nothing afaik that says Verisign is the sole company providing this, presumably anyone else can agree with MS/whoever to have their root certs added.. ? On the idea of gapping to RFC1918 space, this is imho not a good solution, either thay need to upgrade their platform to take the load eg multicast or if they do want to blackhole traffic do it to their own IP space [worst case, do it to an ip block that they dont route] Steve
** Reply to message from "Stephen J. Wilcox" <steve@telecomplete.co.uk> on Fri, 9 Jan 2004 13:20:18 +0000 (GMT)
The consolidation of network power in a single company creates its own threat to the critical infrastructure when a single certificate expires instead of being randomly distributed among several different organizations.
I'm not sure whats involved in getting your own root certs added to browser/OS distributions but theres nothing afaik that says Verisign is the sole company providing this, presumably anyone else can agree with MS/whoever to have their root certs added.. ?
I'm looking at the Certificate Authorities in my copy of Mozilla 1.5. I don't think I've added any, but these are the ones that are there: ABA.ECOM, Inc AOL Time Warner Inc. AddTrust AB America Online Inc. Baltimore Digital Signature Trust Co. Entrust.net Equifax Equifax Secure Equifax Secure Inc. GTE Corporation GeoTrust Inc. GlobalSign nv-sa RSA Data Security, Inc. RSA Security Inc TC TrustCenter for Security in Data Networking Thawte Thawte Consulting Thawte Consulting cc The USERTRUST Network VISA ValiCert, Inc. VeriSign, Inc. beTrusted And in IE 6.0 there seem to be about an equal number, many of them the same. So there appear to be alternatives to VeriSign (why is it that most of these companies have two capitals in their names?). I do remember seeing someone elsewhere complaining that he'd been trying to get his root cert added to Mozilla for two years now, so it may not be all that simple. -- Jeff Shultz Loose nut behind the wheel.
On Fri, 9 Jan 2004, Jeff Shultz wrote:
So there appear to be alternatives to VeriSign (why is it that most of these companies have two capitals in their names?). I do remember seeing someone elsewhere complaining that he'd been trying to get his root cert added to Mozilla for two years now, so it may not be all that simple.
Yep, and several Universities have their own root certificates their campus users can add to their local browsers independent of other CA's. Nevertheless, several SSL surveys say Verisign (and Verisign controlled companies) control a super-majority of the certificates actively in use on the Internet. So if you are a critical infrastructure planner, you need to balance whether you use the domainant market player or several different CA's, or try to be your own CA. You may even want to obtain certificates from two different CA's in case one of them fails.
On Fri, 9 Jan 2004, Stephen J. Wilcox wrote:
I'm not sure whats involved in getting your own root certs added to browser/OS distributions but theres nothing afaik that says Verisign is the sole company providing this, presumably anyone else can agree with MS/whoever to have their root certs added.. ?
There is nothing that says everyone must use BIND software either. Verisign frequently points out the risks of having critical infrastructure distributed among several independent organzations, and how it would be much better if a single company (i.e. Versign) controlled it. But when 95% of the market depends on a single organization, even normal problems are magnified. Certificates normally expire, software normally has bugs, operators normally make mistakes. When those normal things happen, if the organization controls almost all of the market, mistakes impact almost all of the market.
participants (4)
-
Jeff Shultz -
Scott Weeks -
Sean Donelan -
Stephen J. Wilcox