VeriSign's issuing of bogus bona fides points to an apparent problem with its process for verifying the legitimate identity of applicants for digital certificates.
VeriSign's certification practice statement (CPS) does not appear to have been updated since 1997, and it's a CPS that provides the basis for trust in certificates issued by any certificate authority.
Whoever tricked VeriSign into issuing these bogus certificates now has the power to digitally sign code to make it appear that Microsoft has blessed the software. Although VeriSign revoked these certificates shortly after issuing them, they have now been in existence for more than six weeks and can still be used where revocation is not checked.
Because VeriSign's list of revoked certificates does not use the standard mechanism known as Certification Revocation List Distribution Points, and since most browsers in use don't check for revocation anyway, most users will be unable to check the VeriSign list to determine that the bogus certificates have been revoked. This problem does not, however, affect Secure Sockets Layer certificates used for Microsoft Web sites; it affects only signed code.
If someone attempts to send users fraudulently signed software using the bogus certificates--dated January 29 and 30, 2001--these users will see a pop-up window asking them if they want to trust this code. The pop-up will appear even if they have previously chosen to trust legitimate Microsoft certificates issued by VeriSign. However, rather than have users search through different windows to determine the date of a certificate, Gartner recommends that a special notice be sent to all users telling them to click on "No" when they see this security window from Microsoft until the Microsoft update has been installed.
See news story:
Microsoft warns of hijacked certificates
In the interim, enterprises should follow the guidelines in Microsoft security bulletin MS01-017 and install the Microsoft update as soon as it is available.
(For related commentary on public-key infrastructure, see TechRepublic.com--free registration required.)
Entire contents, Copyright ? 2001 Gartner Group, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.