OSSA-2013-009: Keystone PKI tokens online validation bypasses revocation check

Date:March 20, 2013


  • Keystone: Folsom


Guang Yee from HP reported a vulnerability in the revocation check for Keystone PKI tokens. Those tokens are supposed to be validated locally using cryptographic checks, but the user also has the option of asking the server to validate them. In that case, the online verification of PKI tokens would bypass the revocation check, potentially affirming revocated tokens are still valid. Only Folsom setups making use of online verification of PKI tokens are affected.


  • Guang Yee from HP (CVE-2013-1865)