Verisign CRL single point of failure

--- begin forwarded text


Date: Thu, 8 Jan 2004 18:54:46 -0500 (EST)
From: Sean Donelan <sean@xxxxxxxxxxx>
To: nanog@xxxxxxxxx
Subject: Verisign CRL single point of failure
Sender: owner-nanog@xxxxxxxxx


Verisign's Certificate Revocation structure apparently was not
designed to handle the load of large numbers of systems using
crl.verisign.net.  Verisign has introduced a 50% failure
mechanism to gap the load on their servers.  This is a side
effect of the expiration of one of Verisign's Intermediate
Root Certificates.

Verisign has redirecting traffic to several RFC1918 addresses,
which are not routable on the Internet but are frequently used
in enterprise networks.  It is possible Verisign has created
a Denial of Service on Enterprise services using the same
RFC1918 addresses as internal systems checking for crl.versign.net
are redirected to other RFC1918 addresses.

The consolidation of network power in a single company creates
its own threat to the critical infrastructure when a single
certificate expires instead of being randomly distributed among
several different organizations.

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah@xxxxxxxx>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx