Recent debate over Dark Matter’s Certificate Authority (CA) root application unearthed unsettling news about the CA industry at large. It was discovered that due to an operational error, GoDaddy, Apple and Google had mis-issued over 1 million faulty certificates with 63-bit serial numbers, instead of the 64-bits required by CA/B Forum Ballot 164 on Certificate Serial Number Entropy. Apparently, this has caused the rest of the CA industry to take a closer look at how they are treating serial entropy.
In a pre-incident report filed on March 13, a representative of Logius disclosed an issue with serial entropy at PKIoverheid, the PKI for the Dutch government. The issue impacts 22,000 TLS certificates and potentially extends to 350 EV certificates.
The report states that these faulty certificates will all need to revoked and reissued. “The intention is to revoke all affected certificates within 30 days.” The longer length of this timeframe (CA/B Forum mandates 5 days) may be due to the sensitive nature of the government entities protected by the PKI. While national ID system (DigiD), the tax services and Dutch customs may all be impacted, perhaps the most troubling are the tax services which can afford no downtime during peak periods for tax filing. Ongoing issues with Brexit may also increase availability requirements for Dutch customs.
Why the kid gloves? If any of these certificates is revoked prematurely, it could cause a system outage and extended downtime. Before the impacted agencies can methodically revoke and reissue faulty certificates, they need to locate all impacted certificates. They may also need to determine who the certificate owner is and exactly which systems it is installed on. This effort may not be as easy as it would seem. If they are using manual methods to track certificates, this could prove to be an arduous task.
Security researcher Scott Helme provides insight into the potential impact of such an event. "The Logius PKIoverheid issue demonstrates why it's prudent to have contingency plans for recovery after a CA incident. With erroneous issuance, like the serial entropy issue here, or something far more sinister like catastrophic CA failure or distrust, you can find yourself with the requirement to replace all of your certificates quickly. The ability to quickly re-issue and replace all certificates will avoid lengthy downtime, especially if issuance is required from a new CA."
n the case of Logius PKIoverheid, issues surrounding serial entropy could potentially lead to increased security risks. In the description for Ballot 164 on serial entropy, the CA/B Forum advises, “Adding random bits to issued certificates mitigates collision attacks and means that an attacker must be capable of a much harder preimage attack. For a long time the Baseline Requirements have encouraged adding random bits to the serial number of a certificate, and it is now common practice. This ballot makes that best practice required, which will make the Web PKI much more robust against all future weaknesses in hash functions.”
Any time a CA makes an error which could impact the security of your machine identities, you need to be prepared to turn on a dime. Venafi chief security architect, Mike Dodson, explains why you need CA Agility in order to react quickly in the case of a CA error. “The bottom line is that there are many motivations for changing CAs, and you need to be prepared to make these changes quickly if the situation requires it. To keep your fingers on the pulse of your encryption environment, you’ll need the agility to dial up or dial down your CA exposure in response to external and internal demands.”
Unfortunately, there has been a long history of certificates that have been impacted by compromise or CA error. The distrust of Symantec is still probably the largest and most publicized. As a result, there is a growing awareness of the need for CA Agility. In a blog post, Kevin Bocek, vice president of security and threat intelligence for Venafi notes, “Over the past year, more and more CISOs and security architects have expressed concern over the lack of agility in their machine identity programs. Many teams are not prepared or equipped to respond quickly to changes, especially in regards to their digital certificates.”
In fact, the issue has become large enough that Gartner analysts have dedicated an entire research note to the topic: Better Safe Than Sorry: Preparing for Crypto-Agility.