Commentary: VeriSign must act on fakes

By John Pescatore, Gartner Analyst

VeriSign's issuing of bogus bona fides points to an apparent problem with its process for verifying the legitimate identity of applicants for digital certificates.

VeriSign's certification practice statement (CPS) does not appear to have been updated since 1997, and it's a CPS that provides the basis for trust in certificates issued by any certificate authority.

Whoever tricked VeriSign into issuing these bogus certificates now has the power to digitally sign code to make it appear that Microsoft has blessed the software. Although VeriSign revoked these certificates shortly after issuing them, they have now been in existence for more than six weeks and can still be used where revocation is not checked.

Because VeriSign's list of revoked certificates does not use the standard mechanism known as Certification Revocation List Distribution Points, and since most browsers in use don't check for revocation anyway, most users will be unable to check the VeriSign list to determine that the bogus certificates have been revoked. This problem does not, however, affect Secure Sockets Layer certificates used for Microsoft Web sites; it affects only signed code.

If someone attempts to send users fraudulently signed software using the bogus certificates--dated January 29 and 30, 2001--these users will see a pop-up window asking them if they want to trust this code. The pop-up will appear even if they have previously chosen to trust legitimate Microsoft certificates issued by VeriSign. However, rather than have users search through different windows to determine the date of a certificate, Gartner recommends that a special notice be sent to all users telling them to click on "No" when they see this security window from Microsoft until the Microsoft update has been installed.

	See news story: Microsoft warns of hijacked certificates

In Gartner's opinion, VeriSign should rapidly address the apparent deficiencies in its registration process, undergo a full security audit to ensure that other fraudulent certificates have not been issued under other trusted names, and provide third-party proof that it has rectified the deficiencies that led to this problem. As a last resort, enterprises should consider removing the VeriSign Commercial Software Publishers CA certificate from the Trusted Root Store in all browsers if VeriSign does not take these actions by May.

In the interim, enterprises should follow the guidelines in Microsoft security bulletin MS01-017 and install the Microsoft update as soon as it is available.

(For related commentary on public-key infrastructure, see TechRepublic.com--free registration required.)

Entire contents, Copyright ? 2001 Gartner Group, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.