Printer Friendly

Can You Trust Online IDs?

Certificate authority VeriSign announced in March that it had erroneously issued two digital certificates to someone posing as a Microsoft employee almost two months earlier. VeriSign attributed the issuance to human error. It would not elaborate on how the company's validation process (which calls for detailed investigation into an applicant's authorization to request a certificate) was circumvented. While this kind of error may be rare, its impact could have been mitigated if certificate revocation lists (CRLs) were automatically checked.

These digital certificates include a key pair that allows the holder to encrypt data or show proof of origin and authenticity of data for documents sent with them. They are used to digitally sign programs so that the recipient knows they come from a trusted party and are safe to activate. Fraudulently obtained certificates could be used by an attacker to fool users into running an unsafe program. Microsoft issued an update that installs a CRL listing the two fake certificates, so a user encountering a program signed by either certificate will see that they have been revoked. The update will also turn on the CRL checking function in Internet Explorer to check for software publisher's certificates.

"There are things that could have been done in the past that would have prevented this from being a problem," says Shawn Hernan, a technical staff member at the Computer Emergency Response Team (CERT). "Microsoft has chosen in the past not to enable the features that would have checked for revoked certificates automatically, though that's not entirely their fault. That's what the public has been demanding; ease of use and simple, unobstructed access to their favorite sites."

Mahi de Silva, vice president and general manager for applied trust services at VeriSign, says that there are other reasons that automatic CRL checking has not been popular. "You have the potential that the CRL could be large and there might be some issues of network timeouts when the system tries to retrieve it," he says.

Despite those concerns, de Silva says that automatic CRL checking will become more widespread. "The entire infrastructure for PKI will look at this and say, 'This is something we need to do to make the system even better than it is today.'"

Hernan agrees that the software industry can rise to the challenge. "I'm sure the [IT] community could respond to develop clever solutions to make it go acceptably fast," he says. "I'm hopeful that quick, high-speed CRL checking will be one of the results of this."
COPYRIGHT 2001 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2001 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Security Management
Article Type:Brief Article
Geographic Code:1USA
Date:Jun 1, 2001
Previous Article:E-Commerce Laws Online.
Next Article:Square Gets Hip to PROTECTION.

Related Articles
NET Gain.
Forum News.
Encyclopedia Americana 3.0.
Encyclopedia of American Studies.
Vibrating foil improves paper properties.
Online Exclusives.
Trust on Internet is questioned.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters