<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 14/1/2021 12:30 π.μ., Rob Stradling
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MW3PR17MB41221D1005631E9E0BC135DAAAA90@MW3PR17MB4122.namprd17.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Thanks Dmitris.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
So far I've generated the RSA-2048 and RSA-3072 keys using <a
href="https://github.com/CVE-2008-0166/key_generator"
moz-do-not-send="true">
https://github.com/CVE-2008-0166/key_generator</a> and
uploaded them to <a
href="https://github.com/CVE-2008-0166/private_keys"
moz-do-not-send="true">
https://github.com/CVE-2008-0166/private_keys</a>, and I've
generated the corresponding blocklists and uploaded them to
<a href="https://github.com/CVE-2008-0166/openssl_blocklists"
moz-do-not-send="true">https://github.com/CVE-2008-0166/openssl_blocklists</a>.
My RSA-2048 blocklists exactly match the ones from the original
Debian openssl-blacklist package.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
I'm mid-way through generating the RSA-4096 keys.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Let's compare keys when we're both done. <span id="🙂">🙂</span></div>
</blockquote>
<br>
Certainly :-) the RSA-2048 keys already match the fingerprints from
the openssl-blacklist Debian package.<br>
<br>
We did this work several months ago but never found the time to make
it publicly available. We managed to break down the big task and run
jobs in parallel which made things a bit more interesting.<br>
<br>
It's nice we did this independently, I guess it increases the
accuracy level of the resulted keys :)<br>
<br>
<br>
Cheers,<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:MW3PR17MB41221D1005631E9E0BC135DAAAA90@MW3PR17MB4122.namprd17.prod.outlook.com">
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
Dimitris Zacharopoulos (HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a><br>
<b>Sent:</b> 13 January 2021 21:49<br>
<b>To:</b> Rob Stradling <a class="moz-txt-link-rfc2396E" href="mailto:rob@sectigo.com"><rob@sectigo.com></a>; CA/B Forum
Server Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a>; Jacob Hoffman-Andrews
<a class="moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org"><jsha@letsencrypt.org></a>; Christopher Kemmerer
<a class="moz-txt-link-rfc2396E" href="mailto:chris@ssl.com"><chris@ssl.com></a><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal:
Debian Weak keys</font>
<div> </div>
</div>
<div>
<div style="background-color:#FAFA03; width:100%;
border-style:solid; border-color:#000000; border-width:1pt;
padding:2pt; font-size:10pt; line-height:12pt;
font-family:'Calibri'; color:Black; text-align:left">
<span style="color:000000">CAUTION:</span> This email
originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender
and know the content is safe.</div>
<br>
<div>Dear friends,<br>
<br>
HARICA has generated the weak keys (RSA 2048 and 4096 bit
lengths) from the vulnerable openssl package. We will
generate 3072 bit keys as well and add them soon. The
methodology is described in the following GitHub repo along
with the produced keys:<br>
<ul>
<li><a class="x_moz-txt-link-freetext"
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHARICA-official%2Fdebian-weak-keys&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596804832%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=audMLzB5wqGuJF1PGABB8klYmr8GF0rncNtPW3BPslk%3D&reserved=0"
originalsrc="https://github.com/HARICA-official/debian-weak-keys"
shash="N+uVHiJ48Y2oaaBbBYUoEPYM+quj1S1UEaOi3SiUN4fTJaN3SCuNamdCeX7XxFRjGFTnj7TueZavqqtIlQY1HzZ65VsIiwpUV9F1rrKUhNit9YpfTyWc6xkfbir8lBLAgEln1Ih87tIkVypOPKpRKjHKS9fbG+gBgSmqhmQ3OsY="
moz-do-not-send="true">https://github.com/HARICA-official/debian-weak-keys</a></li>
</ul>
Please review and let us know if you spot any issues or
problems with our approach and methodology.<br>
<br>
As always, please use other people's work at your own risk.<br>
<br>
<br>
Dimitris.<br>
<br>
<div class="x_moz-cite-prefix">On 7/1/2021 2:25 μ.μ., Rob
Stradling via Servercert-wg wrote:<br>
</div>
<blockquote type="cite">
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
I've used crt.sh to produce a survey of key
algorithms/sizes in currently unexpired,
publicly-trusted server certificates:</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frobstradling%2Fa5590b6a13218fe561dcb5d5c67932c5&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596814786%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=QW4H5LZN7f3LCNJGqffpHw3OX8Obmw0NV742YwnF94k%3D&reserved=0"
originalsrc="https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5"
shash="SdHiiapLogAcglupDgB5mptYrIC8hGV3nXj8RKdhL2VrTIfjemnDrMONjl6zrqy1/FDx+jLJIU3lqoh/M4rZIcfZVjo3MXjFHYZtCgPqXipPTxO6p92fLRuk6ckluUwK9BTPQzKG+5EdfP4SI/zs0lAvH7msQ9HGCdK5DC1ntV4="
moz-do-not-send="true">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a><br>
</div>
<div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
The four most popular choices are no surprise:
RSA-2048, P-256, RSA-4096, and P-384.
openssl-blacklist covers RSA-2048 and RSA-4096, and
ECC keys are implicitly not Debian weak keys.</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt">Fifth most popular is RSA-3072, with
over 3 million unexpired, publicly-trusted server
certs. openssl-blacklist doesn't cover RSA-3072,
but ISTM that this is a key size that CAs will want
to permit.</span><br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt"><br>
</span></div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Some of the lesser used key sizes are mostly likely
due to Subscriber typos (e.g., 2408 and 3048 were
probably intended to be 2048, 4048 was probably
intended to be either 2048 or 4096, etc), but some of
the other ones look like they were deliberately chosen
(e.g., 2432 is 2048+384). Is it worth generating
Debian weak keys/blocklists for any of these key
sizes?</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt"><br>
</span></div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FSpecialPublications%2FNIST.SP.800-57pt1r5.pdf&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596814786%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=V8nF05EWIKFSBndH2VlIhjccVdACKR4OCmPtpqhASPw%3D&reserved=0"
originalsrc="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf"
shash="CDsCuF/IlsaqFttpGH/J6/neoFs3TOBFQjbIH0ZuMseTJPEWJb3otU/mDIzebh3YgjP3Ssr09ubVaNM3o2MpMEoxejm4NGbYcWGXGgNZXCaU+xdC5Az3DvKK0GG5TaO6+0IIT1Cglo1NpxsLYUnKn6gDBG/ladKqoa8GROVIaH4="
moz-do-not-send="true">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf</a> (Table
4, p59) permits RSA-2048 until the end of 2030,
whereas </span><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sogis.eu%2Fdocuments%2Fcc%2Fcrypto%2FSOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596814786%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=RtQozkPbwOcrF5fQvNq3RQW957dcL5cwiU7lngmCAuE%3D&reserved=0"
originalsrc="https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf"
shash="fkL3WMGaOigqgGnjusC4OljdqYp1h8rNQDBdkz2H3ggNu1SZKyG5GAoGBeb0ORh9MEJAJprYWpzlVWvm1cBYWxfwDQwhGANFxNZWteTqvnS7vfXYCANU2JEz6seXOvPCsPNEaCDjpVe3H5vMCyxosBLtD2/dY0Eopi2ofSQuA3s="
style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"
moz-do-not-send="true">https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf</a> permits
RSA-2048 only until the end of 2025. It is of course
possible that quantum computing will render RSA
obsolete before Subscribers need to think about which
larger RSA keysize they want to migrate to; however,
it seems prudent to also plan for the possibility that
RSA will survive and that some other RSA keysize(s)
might become popular.</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block;
width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>From:</b> Servercert-wg
<a class="x_moz-txt-link-rfc2396E"
href="mailto:servercert-wg-bounces@cabforum.org"
moz-do-not-send="true">
<servercert-wg-bounces@cabforum.org></a> on
behalf of Rob Stradling via Servercert-wg
<a class="x_moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Sent:</b> 06 January 2021 16:08<br>
<b>To:</b> Jacob Hoffman-Andrews <a
class="x_moz-txt-link-rfc2396E"
href="mailto:jsha@letsencrypt.org"
moz-do-not-send="true">
<jsha@letsencrypt.org></a>; Christopher
Kemmerer <a class="x_moz-txt-link-rfc2396E"
href="mailto:chris@ssl.com" moz-do-not-send="true">
<chris@ssl.com></a>; CA/B Forum Server
Certificate WG Public Discussion List <a
class="x_moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true">
<servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot
proposal: Debian Weak keys</font>
<div> </div>
</div>
<div dir="ltr">
<div style="background-color:#FAFA03; width:100%;
border-style:solid; border-color:#000000;
border-width:1pt; padding:2pt; font-size:10pt;
line-height:12pt; font-family:'Calibri';
color:Black; text-align:left">
<span style="color:000000">CAUTION:</span> This
email originated from outside of the organization.
Do not click links or open attachments unless you
recognize the sender and know the content is safe.</div>
<br>
<div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt">Jacob
wrote:</div>
<div style="margin:0px; font-size:12pt">>
Lastly, I think we should archive
openssl-blacklist, and include in the BRs: "A CA
may reject the full set of Debian weak keys by
rejecting this superset of the Debian weak keys:</div>
<div style="margin:0px; font-size:12pt">><br>
<div>> - All RSA public keys with modulus
lengths other than 2048 or 4096, and</div>
<div>> - All RSA public keys with exponents
other than 65537, and</div>
<div><br>
</div>
<div>Hi Jacob. 65537 (aka 0x10001) is
hard-coded here...</div>
<div><span
style="background-color:rgb(255,255,255);
display:inline!important"><br>
</span></div>
<div><span
style="background-color:rgb(255,255,255);
display:inline!important"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2FOpenSSL_0_9_8f%2Fapps%2Freq.c%23L768&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596824743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=YsKWoiNT5Y9aqo%2FPVDxvce8h0m7YRUhhtsj1E9qkZds%3D&reserved=0"
originalsrc="https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768"
shash="hAkyYtizJasTA6iqBuF3vjXQikNUlxYGuqF6/Gg0KbC3WTt40hQCtd+3bukg+OsQBEJoImCzwL3v4HpZMyCzLmxInySZciv+sDxmoTAmRb1dOi/KvA0nJi/f6wqkNXMRlmRv2bi9zzZ/laawIt15JuifRtEAsKmm3rwGh6HRDOY="
moz-do-not-send="true">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</a><br>
</span></div>
<div><br>
</div>
<div>Would it therefore be fair to say that keys
with public exponents other than 65537 are
implicitly
<u>not</u> Debian weak keys?</div>
<div><br>
</div>
> - All RSA public keys that are detected as
vulnerable by the openssl-vulnkey program in the
openssl-blacklist package version 0.5-3 (see
addendum), or an equivalent program."</div>
</div>
<div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block;
width:98%">
<div id="x_x_divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri,
sans-serif" color="#000000"><b>From:</b>
Servercert-wg
<a class="x_moz-txt-link-rfc2396E"
href="mailto:servercert-wg-bounces@cabforum.org"
moz-do-not-send="true">
<servercert-wg-bounces@cabforum.org></a>
on behalf of Jacob Hoffman-Andrews via
Servercert-wg
<a class="x_moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Sent:</b> 12 December 2020 02:21<br>
<b>To:</b> Christopher Kemmerer <a
class="x_moz-txt-link-rfc2396E"
href="mailto:chris@ssl.com"
moz-do-not-send="true">
<chris@ssl.com></a>; CA/B Forum Server
Certificate WG Public Discussion List <a
class="x_moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true">
<servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX
Ballot proposal: Debian Weak keys</font>
<div> </div>
</div>
<div>
<div style="background-color:#FAFA03;
width:100%; border-style:solid;
border-color:#000000; border-width:1pt;
padding:2pt; font-size:10pt; line-height:12pt;
font-family:'Calibri'; color:Black;
text-align:left">
<span style="color:000000">CAUTION:</span>
This email originated from outside of the
organization. Do not click links or open
attachments unless you recognize the sender
and know the content is safe.</div>
<br>
<div>
<div dir="ltr">Thanks for your continued
efforts to improve this part of the BRs!
Let's Encrypt is in theory interested in
endorsing, but I think it still needs a bit
of work. Thanks for incorporating my most
recent comments on endianness and word size
vs 11 platforms.<br>
<br>
Goals: We want CAs to consistently not issue
certificates for weak keys in general, and
also in the specific case of Debian and ROCA
keys. We want the definition of Debian and
ROCA keys to be clear and actionable for as
long as possible - say, at least twenty
years.<br>
<br>
We have three ways to specify Debian and
ROCA keys: With a list, with a tool, or with
an algorithm*. The original revision of this
ballot proposed to use a list (<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2020-April%2F001821.html&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596824743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fTfVfOjEhh96bTOdGJNF98KA%2BdEPSRxWwHTSgmHfAOI%3D&reserved=0"
originalsrc="https://lists.cabforum.org/pipermail/servercert-wg/2020-April/001821.html"
shash="crJyvefghrbkI8YcDJiOG60WDQcjAiHaWFv6wfXwZxqFpTN47dkPF14aIStluYoezTQJCWIOi12B569QIGrtKhN4FXOsvRUNp4UkrztGMIGtrcTEn0tDYptDsSlC61m7gQvnnvqX5Ftop0eytCUDEHZzc9xmmWS9N3+MCUN4BVY="
moz-do-not-send="true">https://lists.cabforum.org/pipermail/servercert-wg/2020-April/001821.html</a>).
There were two objections:<br>
<br>
- The list (openssl-blacklist) is subject
to change or removal.<br>
- The list only covers 2048 and 4096 bit
keys.<br>
<br>
The current draft proposes specifying a tool
for ROCA (<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596834697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=50r1OmZzAii3jZuvTKYjwdNxSx8%2FAEvClM%2BO6lFiTAU%3D&reserved=0"
originalsrc="https://github.com/crocs-muni/roca"
shash="wM7ArUWb6DTqIT1ubSc+7qWO57Y5U6/tzJjx7ajvlCvJojVPL9R03goihwP56FU2ReJkOeGq7sGMZd0Fkkph+1saHX9kIukRnEJ8YlV5FG4e1Z8cj28ZN6gxb86egMBnXaSRY2ZezxF7H+jfdULEvV9Aa/mOPruyvJBobwR7Jzg="
moz-do-not-send="true">https://github.com/crocs-muni/roca</a>)
and an algorithm for Debian keys.<br>
<br>
The ROCA tool is subject to change or
removal, just like the openssl-blacklist
package. I propose we instead specify ROCA
detection in terms of the paper (<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrocs.fi.muni.cz%2Fpublic%2Fpapers%2Frsa_ccs17&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596844650%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bsUmJu3kpaIFAxT5JI8rfFuZwzhOeX7FQ5ISQOsPz%2Bg%3D&reserved=0"
originalsrc="https://crocs.fi.muni.cz/public/papers/rsa_ccs17"
shash="L3URd6TruasTOXDtwzDCeyWLOym/iSHz5nWQTA6jgfSvql669WTWxaJxBoS7KpZZvJ5n3t9rCRc1QE5hS+749yw2SgW21ysm2dgRpC+xj1nj35D+fjyyCQY+UNTvQ6Og2A6nuiKIiTSR6oXLwRFeTUTnaX6HP7on7OtLUFpATXU="
moz-do-not-send="true">https://crocs.fi.muni.cz/public/papers/rsa_ccs17</a>)
and ask for permission from the authors to
archive an unchanging copy as an addendum to
the BRs.<br>
<br>
For Debian keys, what looks like an
algorithm specification is actually a tool +
algorithm specification. The tool is
"OpenSSL 0.9.8c-1 up to versions before
0.9.8g-9 on Debian-based operating systems"
(per CVE-2008-01666 -
<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2008-0166&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596844650%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lX%2Bk0T8e9LM0YxI9mKjRAKdktyILrmyWv%2BQW%2BI7PJXE%3D&reserved=0"
originalsrc="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0166"
shash="HXI0i0v+TF6HuX9IwiakMUCVsA0KXBHsqcS/IlBoBD8DiWVYyZ1Kxfov+v2s59cQ5EBGLkOQJqbJVpZLnR0jdvxIEdBsOvcGPYolVan50tkHLvyCZnP0RArlTGV9ZPryBqwDSMQY1Mqxebt4ArPek877FtPX4v3FkSeBj4T8Ij8="
moz-do-not-send="true">
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0166</a>). To ensure
an unchanging copy of that, we should
archive 3 copies of Debian, for the 3 word
size + endianness combinations.<br>
<br>
The algorithm also needs an additional line:
"v) using the command 'openssl req -nodes
-subj / -newkey rsa:<Public Key
length>'" (adapted from
<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsources.debian.org%2Fdata%2Fmain%2Fo%2Fopenssl-blacklist%2F0.5-3%2Fexamples%2Fgen_certs.sh&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596854611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=33vBsh3%2BJB9uMLln%2BihOgOF5BkoZxdIcAMY2PCEDz8I%3D&reserved=0"
originalsrc="https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/examples/gen_certs.sh"
shash="EViJtj8YMgbJbrqxZZPaSHpGIhMLuSBVmxqE/lnORmK0a68WvOUzPfkdqrknmYU75NCnbN06PanU9MIBWe04MGD2lV8Zf+8hJMNyrsri0xqLNuzdZi6uu6EtTVEQiceBRn2DylHMfBX3d2Dj9u8JOqCVoDXgb0y/4yVTQQMs4Pg="
moz-do-not-send="true">
https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/examples/gen_certs.sh</a>).
Other tools that linked OpenSSL, like
openvpn and openssh, generated different
sets of keys. We can include or exclude
openvpn and openssh keys, but should
thoroughly specify.<br>
<br>
Lastly, I think we should archive
openssl-blacklist, and include in the BRs:
"A CA may reject the full set of Debian weak
keys by rejecting this superset of the
Debian weak keys:<br>
<br>
- All RSA public keys with modulus lengths
other than 2048 or 4096, and<br>
- All RSA public keys with exponents other
than 65537, and<br>
- All RSA public keys that are detected as
vulnerable by the openssl-vulnkey program in
the openssl-blacklist package version 0.5-3
(see addendum), or an equivalent program."<br>
<br>
My reasoning: Given the difficulty of
correctly setting up old Debian versions and
generating weak keys for sizes that are not
part of openssl-blacklist, I expect most CAs
will choose this path. Given that, we should
just say what we mean: the pregenerated list
is fine if you restrict key sizes, but you
don't *have* to restrict key sizes, so long
as you have an alternate method to ensure
you're not issuing for Debian weak keys at
other sizes.<br>
<br>
*I'm considering specifying an algorithm to
be functionally equivalent to specifying an
"outcome," though I recognize this may be
too hand-wavy.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="x_mimeAttachmentHeader"></fieldset>
<pre class="x_moz-quote-pre">_______________________________________________
Servercert-wg mailing list
<a class="x_moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org" moz-do-not-send="true">Servercert-wg@cabforum.org</a>
<a class="x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=04%7C01%7Crob%40sectigo.com%7C5bc6d28ecd024d9e1aef08d8b80d16d7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637461714596854611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=U9531zk1sf%2BXEiOvCTUa9XHdkpFWHsGQaG%2FB0KrKUbw%3D&reserved=0" originalsrc="https://lists.cabforum.org/mailman/listinfo/servercert-wg" shash="UmljgEeN3q58hYyWCbkEjcyEa6xE/Y+Wbnm3weOe04jVkuH64awSj63+dSoZczFJrfKsKIEMPXs8mTbJH7x3CPTCtvPVDexcA3rUT4try2GnCkbly89pxGso9UpMrr2jvbf/LFPbjQ8FKvenQKpbcSeTU4hu6Na2lN/LLTxIkHk=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>