|Networking government in New Zealand.

Tabs

Site map Access Keys Contact us About this site

You are here: Home » Services » SEEMail » S.E.E. PKI Paper 14 - International and New Zealand PKI experiences across government, v 1.0 » 4 Other Observations

4 Other Observations

Within this section:
4.1 Rationalisation of the PKI market
4.2 PKI vulnerability impacts

4.1 Rationalisation of the PKI market

34. Certificate Authorities appear to be consolidating, as they seek a sustainable business model:

In New Zealand, BaycorpID has exited the CA market. Telecom is phasing out its SecureKey CA offering.
In the US, IBM has transferred its business to VeriSign.
In Germany, one of the country's four trust centers, organizations that issue digital certificates, has already effectively shut down. That centre, run by Deutsche Post, could not find enough business to meet expenses and stays open now only to maintain its existing certificates.
In the United Kingdom, Chambersign, one of the two Certificate Authorities used by the Government Gateway has exited the business. The Chambersign certificate holders have been given the option to transfer to the Royal Bank Scotland.

35. In addition, RSA Keon, one of the major providers of PKI technology, has sold its PKI business to the original developers, TFS Technology in Switzerland. Instead they are concentrating on zero-client based forms of authentication such as one-time tokens.

4.2 PKI vulnerability impacts

36. It is of concern that PKI technology has been used / evaluated by many organisations over the last five years, yet technical vulnerabilities are still being discovered. One implication is that organisations have accepted the technology at face value, without seeking to identify vulnerabilities. In a similar fashion, this also casts doubt on the expertise of companies who sell PKI services, who had not discovered this vulnerability.

37. As an example - in August 2002 [ More information at http://www.microsoft.com/technet/treeview/default.html?url=/technet/security/bulletin/ms02-050.html], it was discovered that Microsoft's CryptoAPI had a vulnerability that could enable an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation. CryptoAPI has been used by a wide range of applications since Windows 98, so this could enable a variety of identity spoofing attacks including:

Setting up a web site that poses as a different web site, and "proving" its identity by establishing an SSL session as the legitimate web site.
Sending emails signed using a digital certificate that purportedly belongs to a different user.
Spoofing certificate-based authentication systems to gain entry as a highly privileged user.
Digitally signing malicious software using a fake Authenticode certificate supposedly from a software company that users might trust.

38. Microsoft released a patch for the problem on 05 September 2002. On 09 September 2002, they advised that some customers who installed the patch could see unexpected error messages when installing new hardware, or in some cases might be unable to install new hardware altogether. On 20 November 2002, an updated version of the patch was released to not only eliminate the problems with the 09 September patch, but also to eliminate a newly discovered variant of the original vulnerability that could enable an attacker to gain control over a user's system.

39. Depending upon how a PKI application was implemented, this vulnerability could have caused serious problems. For example, some agencies when receiving S/MIME signed messages, verify the signature, but then strip it, so as not to cause problems at the client desktop. If an agency had not kept a copy of the signed message, then doubt could be cast on the integrity of the message.

[ Previous | Next ]