[853] in Kerberos
RE: X.509 vulnerabilities
daemon@ATHENA.MIT.EDU (NESSETT@CCC.NMFECC.GOV)
Wed Dec 20 11:34:31 1989
From: NESSETT@CCC.NMFECC.GOV
To: KERBEROS@ATHENA.MIT.EDU
There was one item raised in the recent discussion of certificates that I feel
requires further comment. At least two correspondents pointed out that a recent
paper in the Symposium on Operating System Principles notes a vulnerability in
X.509. Not having received the proceedings of that symposium as yet, I asked
people who are members of the privacy and security research group if they had
seen the paper. The chairman of that group, Steve Kent of BBN, sent me the
following reply.
---------------------------forwarded message-----------------------------
> Dan,
> The paper in SOSP notes a vulnerability in the 509 authentication
> protocol, which has nothing to do with our use of certificates in mail
> or with certificates in general. It is a typical oversight in the
> protocol design for the three-way handshake and the paper even proposes
> a fix. So, I don't see this criticism of 509 being a significant issue,
> just a condemnation of the sloppiness of the standards process.
> Steve
---------------------------end of forwarded message----------------------
Dan Nessett
