<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Yes, certainly, at a minimum, CAs should not be issuing new certificates for keys they themselves have previously determined to be compromised.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As you correctly note, this is currently a fairly common occurrence.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Jeremy Rowley <br><b>Sent:</b> Tuesday, August 21, 2018 4:51 PM<br><b>To:</b> Ryan Sleevi <sleevi@google.com>; CA/Browser Forum Public Discussion List <public@cabforum.org>; Tim Hollebeek <tim.hollebeek@digicert.com><br><b>Subject:</b> RE: [cabfpub] Issuance of certificates for keys reported as compromised<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I think Tim is proposing the CA should check their own database of keys revoked for compromise to make sure they don’t issue a cert with the same key. For example, we re-issued the Blizzard cert that was revoked when the key was posted online. We’ve found that regardless of the reason for revocation pretty much every CA will issue a cert with a previous key.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If the key is compromised, eventually you just get it revoked with enough CAs that people don’t use that same key. It’s not exactly hard to generate a new end entity key.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>From:</b> Public <<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Ryan Sleevi via Public<br><b>Sent:</b> Tuesday, August 21, 2018 1:34 PM<br><b>To:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>; CABFPub <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br><b>Subject:</b> Re: [cabfpub] Issuance of certificates for keys reported as compromised<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I seem to recall we've discussed this before. There are a number of practical challenges with this, and that any reasonable proposal would need to provide interoperable guidance for. In short, it was substantial work, for questionable gain, and while it sounds sensible, the devil is in the details.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We need to define what a compromised key is, how it was reported, and how it was determined. Without these basic things, you have the potential for malicious DoS. For example, we know of some CAs that revoke certificates as compromised even with faulty demonstration of proof, or insufficient proof. We've had substantial discussions about what counts as reasonable proof versus not - e.g. the signing of nonces or the like.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>You then have to have CAs consistently reporting (e.g. through CRLs and OCSP) the reason for revocation. All CAs would need to check all other CAs, or there would need to be some meta-service to aggregate. If there is an aggregated metaservice, you have to determine how to authenticate that metaservice and its information - it becomes a single point of attack for DoS.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Once you've built a system that allows revoking an entire key off the Internet, you then have to deal with the policy ramifications of such a centralized risk, such as giving a single avenue for political or external attacks, such as revoking keys as 'compromised' if, for example, they are used to host 'objectionable' content.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As you can see, these are just a few of the issues that present themselves.<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Tue, Aug 21, 2018 at 2:42 PM Tim Hollebeek via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Should we update the BRs to disallow issuance of certificates for key pairs that have been previously reported as compromised?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I’m not aware of any CAs that currently do that check today, but it’s not that difficult to do. It might be a sensible thing to add in the future. However it only works if all CAs do it, otherwise subscribers will just get their compromised key signed by a different CA.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-Tim<o:p></o:p></p></div></div><p class=MsoNormal>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote></div></div></div></body></html>