[15215] in cryptography@c2.net mail archive
Re: Verisign CRL single point of failure
daemon@ATHENA.MIT.EDU (t.c.jones@att.net)
Wed Mar 31 23:12:42 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: t.c.jones@att.net
To: Rich Salz <rsalz@datapower.com>
Cc: "R. A. Hettinga" <rah@shipwright.com>, cryptography@metzdowd.com
Date: Sat, 10 Jan 2004 03:19:05 +0000
Verisign incorrectly built the new certificate causing every SSL access on IE 5.x to request a
new CRL (700k) on every single SSL access. This has been fixed, a new udated cert is
available and the CRL storm is abating. See the versign site for more details on what they did to
fix the problem, but nothing of course on what they did wrong.
Note that two separte certs expired at the same time so there were two competing DOS attacks
simultaneously.
hth ..tom
> Can someone explain to me why the expiring of a certificate causes new
> massive CRL queries?
> /r$
>
> --
> Rich Salz, Chief Security Architect
> DataPower Technology http://www.datapower.com
> XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
> XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
