<div dir="ltr">When it's ready, Mozilla will endorse.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 20, 2021 at 4:38 PM Christopher Kemmerer <<a href="mailto:chris@ssl.com">chris@ssl.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Thanks, Ben. We are
reviewing this section (and the entire proposed ballot) and
revising for clarity.<br>
<br>
Chris K<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div>On 9/14/2021 11:14 AM, Ben Wilson
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Is there a missing "and" in the following list? Can this
language be clarified?<br>
</div>
<div><br>
</div>
<div>
<pre>6.1.1.4 Subscriber Key Pair Parameters
The CA SHALL reject keys (per 6.1.1.3(b)) if the following parameters apply:
i) Big-endian 32-bit, little-endian 32-bit, and little-endian 64-bit architecture;
ii) Process ID of 0 to 32767, inclusive;
iii) All RSA Public Key lengths supported by the CA;
iv) rnd, nornd, and noreadrnd OpenSSL random file state.</pre>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Sep 2, 2021 at 2:53 PM
Chris Kemmerer via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="font-size:12pt">Thanks for the endorsement and
suggested changes, Rob. The updated language below
incorporates these, thus adding a Section 6.1.1.4 and
moving the key parameters therein.<br>
<br>
We welcome input from the community and are seeking a
second endorser.<br>
<br>
Chris K<br>
<br>
=====<br>
<br>
SCXX Ballot proposal: Debian Weak keys
<div><br>
</div>
<div>NOTE: Edited per latest (20210824) RS suggestion,
see new section 6.1.1.4.</div>
<div><br>
-----<br>
</div>
<div><br>
</div>
<div>--- Motion Begins ---</div>
<div><br>
</div>
<div>This ballot modifies the “Baseline Requirements for
the Issuance and Management of Publicly-Trusted
Certificates” as follows, based on Version 1.7.9:</div>
<div><br>
</div>
<div><b>Proposed ballot language:</b></div>
<div><br>
</div>
<div>4.9.1.1 Reasons for Revoking a Subscriber
Certificate</div>
<div> </div>
<div><b>REPLACE:</b></div>
<div><br>
</div>
<div>4. The CA is made aware of a demonstrated or proven
method that can easily compute the Subscriber’s
Private Key based on the Public Key in the Certificate
(such as a Debian weak key, see <a href="https://wiki.debian.org/SSLkeys" target="_blank">https://wiki.debian.org/SSLkeys</a>)</div>
<div><br>
</div>
<div><b>With:</b></div>
<div><br>
</div>
<div>4. The CA is made aware of a demonstrated or proven
method that can easily compute the Subscriber’s
Private Key (such as those identified in 6.1.1.3(4)).</div>
<div><br>
</div>
<div>---</div>
<div><br>
</div>
<div>6.1.1.3. Subscriber Key Pair Generation</div>
<div><br>
</div>
<div><b>REPLACE:</b></div>
<div><br>
</div>
<div>The CA SHALL reject a certificate request if one or
more of the following conditions are met:</div>
<div><br>
</div>
<div>1. The Key Pair does not meet the requirements set
forth in Section 6.1.5 and/or Section 6.1.6;</div>
<div><br>
</div>
<div>2. There is clear evidence that the specific method
used to generate the Private Key was flawed;</div>
<div><br>
</div>
<div>3. The CA is aware of a demonstrated or proven
method that exposes the Applicant's Private Key to
compromise;</div>
<div><br>
</div>
<div>4. The CA has previously been made aware that the
Applicant's Private Key has suffered a Key Compromise,
such as through the provisions of Section 4.9.1.1;</div>
<div><br>
</div>
<div>5. The CA is aware of a demonstrated or proven
method to easily compute the Applicant's Private Key
based on the Public Key (such as a Debian weak key,
see <a href="https://wiki.debian.org/SSLkeys" target="_blank">https://wiki.debian.org/SSLkeys</a>).</div>
<div><br>
</div>
<div><b>With:</b></div>
<div><br>
</div>
<div>The CA SHALL reject a certificate request if one or
more of the following occurs:</div>
<div><br>
</div>
<div>1) The requested Public Key does not meet the
requirements set forth in Sections 6.1.5 and/or 6.1.6;</div>
<div><br>
</div>
<div>2) The CA is aware of a demonstrated or proven
method that exposes the Subscriber's Private Key to
compromise;</div>
<div><br>
</div>
<div>3) The CA has previously been made aware that the
Subscriber's Private Key has suffered a Key
Compromise, such as through the provisions of Section
4.9.1.1;</div>
<div><br>
</div>
<div>4) The Public Key corresponds to an industry
demonstrated weak Private Key, in particular:</div>
<div><br>
</div>
<div>a) In the case of ROCA vulnerability, the CA SHALL
reject keys identified by the tools available at <a href="https://github.com/crocs-muni/roca" target="_blank">https://github.com/crocs-muni/roca</a>
or equivalent.</div>
<div><br>
</div>
<div>b) In the case of Debian weak keys (<a href="https://wiki.debian.org/SSLkeys" target="_blank">https://wiki.debian.org/SSLkeys</a>),
the CA SHALL reject keys generated by the flawed
OpenSSL version with the combination of the parameters
described in 6.1.1.4.<br>
<br>
<b>ADD:</b><br>
</div>
<div><br>
</div>
<div>6.1.1.4 Subscriber Key Pair Parameters</div>
<div><br>
</div>
<div>The CA SHALL reject keys (per 6.1.1.3(b)) if the
following parameters apply:
</div>
<div><br>
</div>
<div>i) Big-endian 32-bit, little-endian 32-bit, and
little-endian 64-bit architecture;</div>
<div><br>
</div>
<div>ii) Process ID of 0 to 32767, inclusive;</div>
<div><br>
</div>
<div>iii) All RSA Public Key lengths supported by the
CA;</div>
<div><br>
</div>
<div>iv) rnd, nornd, and noreadrnd OpenSSL random file
state.</div>
<div><br>
</div>
<div>These are some suggested tools that CAs MAY use to
obtain lists of Debian weak keys:</div>
<div><br>
</div>
<div> - <a href="https://github.com/CVE-2008-0166" target="_blank">https://github.com/CVE-2008-0166</a>
provides a generator, for the complete set of
parameters listed above, that runs on any modern
64-bit Linux system; it also provides complete sets of
pregenerated keys for the most common RSA key sizes.</div>
<div> - <a href="https://github.com/HARICA-official/debian-weak-keys" target="_blank">https://github.com/HARICA-official/debian-weak-keys</a>
provides a generator, for a subset of the parameters
listed above, that can take advantage of a computer
cluster.</div>
<div><br>
</div>
--- Motion Ends --- </div>
<br>
</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_-3798143528580690523gmail-m_6461232490569725619divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri,
sans-serif" color="#000000"><b>From:</b> Rob Stradling
<<a href="mailto:rob@sectigo.com" target="_blank">rob@sectigo.com</a>><br>
<b>Sent:</b> Tuesday, August 24, 2021 4:01 PM<br>
<b>To:</b> Chris Kemmerer <<a href="mailto:chris@ssl.com" target="_blank">chris@ssl.com</a>>;
Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>>;
CA/B Forum Server Certificate WG Public Discussion
List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>;
Jacob Hoffman-Andrews <<a href="mailto:jsha@letsencrypt.org" target="_blank">jsha@letsencrypt.org</a>><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot
proposal: Debian Weak keys</font>
<div> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Hi
Christopher.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">> We
would still like to determine the best way to direct
CAs to the weak key populations assembled through the
work of yourself and HARICA.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Here's
my suggestion...</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Change...</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><i>"b)
In the case of Debian weak keys (<a href="https://wiki.debian.org/SSLkeys" target="_blank">https://wiki.debian.org/SSLkeys</a>),
the CA SHALL reject at least keys generated by the
flawed OpenSSL version with the combination of the
following parameters:"</i></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">...to...</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><i>"<span style="background-color:rgb(255,255,255);display:inline">b) In the case
of Debian weak keys (<a href="https://wiki.debian.org/SSLkeys" target="_blank">https://wiki.debian.org/SSLkeys</a>),
the CA SHALL reject at least keys generated by the
flawed OpenSSL version with the combination of the
parameters listed in section 6.1.1.4."</span></i></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Move
the list of parameters (<i>"i) Big-endian
32-bit...random file state"</i>) into a new section
6.1.1.4, entitled
<i>"Debian weak keys (CVE-2008-0166)"</i>.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">At
the end of the new section 6.1.1.4, add this text...</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><i>"These
are some suggested tools that CAs MAY use to obtain
lists of Debian weak keys:</i></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><i>
- <a href="https://github.com/CVE-2008-0166" target="_blank">https://github.com/CVE-2008-0166</a> provides
a generator, for the complete set of parameters
listed above, that runs on any <span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt">modern
64-bit Linux system; it also provides complete
sets of pregenerated keys for the most common RSA
key sizes.</span></i></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><i><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt">
- <a href="https://github.com/HARICA-official/debian-weak-keys" target="_blank">https://github.com/HARICA-official/debian-weak-keys</a> provides
a generator, for a subset of the parameters listed
above, that can take advantage of a computer
cluster."</span></i></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">> We
believe this proposal offers clearer guidance on this
matter than the current BR language, and is an
opportunity to make an ecosystem-wide improvement in
CA practices.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">I
agree. I'd be happy to endorse.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">>
(NOTE: Edited per RS suggestion, updated version
number to 1.7.9, but still currently directs to <a href="http://debian.org" target="_blank">debian.org</a> resource)<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">I
think it's still valuable to mention <a href="https://wiki.debian.org/SSLkeys" style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt" target="_blank">https://wiki.debian.org/SSLkeys</a>.</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_-3798143528580690523gmail-m_6461232490569725619x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
Christopher Kemmerer <<a href="mailto:chris@ssl.com" target="_blank">chris@ssl.com</a>><br>
<b>Sent:</b> 18 August 2021 22:37<br>
<b>To:</b> Rob Stradling <<a href="mailto:rob@sectigo.com" target="_blank">rob@sectigo.com</a>>;
Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>>;
CA/B Forum Server Certificate WG Public Discussion
List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>;
Jacob Hoffman-Andrews <<a href="mailto:jsha@letsencrypt.org" target="_blank">jsha@letsencrypt.org</a>><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot
proposal: Debian Weak keys</font>
<div> </div>
</div>
<div>
<p style="margin-top:0px;margin-bottom:0px">
</p>
<div style="background-color:rgb(250,250,3);width:100%;border-style:solid;border-color:rgb(0,0,0);border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:"Calibri";color:black;text-align:left"><span>CAUTION:</span>
This email originated from outside of the
organization. Do not click links or open
attachments unless you recognize the sender and
know the content is safe.</div>
<br>
<p style="margin-top:0px;margin-bottom:0px">
</p>
<div>
<p style="margin-top:0px;margin-bottom:0px">
Hello Rob,<br>
<br>
Thanks for the useful suggestion. We've amended
our proposed ballot language accordingly.<br>
<br>
We would still like to determine the best way to
direct CAs to the weak key populations assembled
through the work of yourself and HARICA.<br>
<br>
On the broader question of how to proceed, we
see three options for community consideration:<br>
<br>
- Carry forward with this proposed ballot;<br>
- Consider adding this language to a future
cleanup ballot; or<br>
- Declaring that current language and guidance
are sufficient.<br>
<br>
To recap, the ur-issue is itself from 2006-2008,
our initial request for input on this matter was
made in April 2020 and this ballot language has
been under (sporadic) discussion since December
2020. Given the narrow focus of the issue
itself, this could certainly be considered a low
priority, and thus wrapped into a future cleanup
ballot (rather than undergoing a separate ballot
procedure).<br>
<br>
However, we note that the impetus for this
ballot discussion was failure of a
publicly-trusted CA to prevent issuance of a
certificate using a Debian weak key in March
2020. We aim to ensure this doesn't happen again
by clear delineation of expected practices (and
direction to appropriate resources) in our
Baseline Requirements.<br>
<br>
We believe this proposal offers clearer guidance
on this matter than the current BR language, and
is an opportunity to make an ecosystem-wide
improvement in CA practices.<br>
<br>
We hope to discuss this in our regular call and
very much welcome community input.<br>
<br>
Regards,<br>
<br>
Chris K<br>
<br>
=====<br>
<br>
SCXX Ballot proposal: Debian Weak keys<br>
<br>
(NOTE: Edited per RS suggestion, updated version
number to 1.7.9, but still currently directs to
<a href="http://debian.org" target="_blank">debian.org</a>
resource)<br>
<br>
=====<br>
<br>
--- Motion Begins --- <br>
<br>
This ballot modifies the “Baseline Requirements
for the Issuance and Management of
Publicly-Trusted Certificates” as follows, based
on Version 1.7.9:
<br>
<br>
Proposed ballot language: <br>
<br>
4.9.1.1 Reasons for Revoking a Subscriber
Certificate <br>
<br>
Replace: <br>
<br>
4. The CA is made aware of a demonstrated or
proven method that can easily compute the
Subscriber’s Private Key based on the Public Key
in the Certificate (such as a Debian weak key,
see
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427569064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=m74Sjypff4KqXQuZUrdozdOB8N9TmwCh%2F%2BzJpjUwl9w%3D&reserved=0" target="_blank">
https://wiki.debian.org/SSLkeys</a>) <br>
<br>
With: <br>
<br>
4. The CA is made aware of a demonstrated or
proven method that can easily compute the
Subscriber’s Private Key (such as those
identified in 6.1.1.3(4)).
<br>
<br>
--- <br>
<br>
6.1.1.3. Subscriber Key Pair Generation <br>
<br>
Replace: <br>
<br>
The CA SHALL reject a certificate request if one
or more of the following conditions are met:
<br>
<br>
1. The Key Pair does not meet the requirements
set forth in Section 6.1.5 and/or Section 6.1.6;
<br>
<br>
2. There is clear evidence that the specific
method used to generate the Private Key was
flawed;
<br>
<br>
3. The CA is aware of a demonstrated or proven
method that exposes the Applicant's Private Key
to compromise;
<br>
<br>
4. The CA has previously been made aware that
the Applicant's Private Key has suffered a Key
Compromise, such as through the provisions of
Section 4.9.1.1;
<br>
<br>
5. The CA is aware of a demonstrated or proven
method to easily compute the Applicant's Private
Key based on the Public Key (such as a Debian
weak key, see
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427569064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=m74Sjypff4KqXQuZUrdozdOB8N9TmwCh%2F%2BzJpjUwl9w%3D&reserved=0" target="_blank">
https://wiki.debian.org/SSLkeys</a>). <br>
<br>
With: <br>
<br>
The CA SHALL reject a certificate request if one
or more of the following occurs:
<br>
<br>
1) The requested Public Key does not meet the
requirements set forth in Sections 6.1.5 and/or
6.1.6;
<br>
<br>
2) The CA is aware of a demonstrated or proven
method that exposes the Subscriber's Private Key
to compromise;
<br>
<br>
3) The CA has previously been made aware that
the Subscriber's Private Key has suffered a Key
Compromise, such as through the provisions of
Section 4.9.1.1;
<br>
<br>
4) The Public Key corresponds to an industry
demonstrated weak Private Key, in particular:
<br>
<br>
a) In the case of ROCA vulnerability, the CA
SHALL reject keys identified by the tools
available at
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427579016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AEwR7%2BOcyMNbJ5kqWebySDmtRO2PqoIFELJc4BD7ESA%3D&reserved=0" target="_blank">
https://github.com/crocs-muni/roca</a> or
equivalent. <br>
<br>
b) In the case of Debian weak keys (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427579016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WPJ6yy8T0U3kPKwISrWNjJDP5rIgwcVr6ZsSXAQEYsk%3D&reserved=0" target="_blank">https://wiki.debian.org/SSLkeys</a>),
the CA SHALL reject at least keys generated by
the flawed OpenSSL version with the combination
of the following parameters:
<br>
<br>
i) Big-endian 32-bit, little-endian 32-bit, and
little-endian 64-bit architecture;
<br>
<br>
ii) Process ID of 0 to 32767, inclusive; <br>
<br>
iii) All RSA Public Key lengths supported by the
CA; <br>
<br>
iv) rnd, nornd, and noreadrnd OpenSSL random
file state.<br>
<br>
--- Motion Ends --- <br>
<br>
=====<br>
<br>
</p>
<div>On 5/13/2021 9:42 AM, Rob Stradling wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt">> </span><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt">iii)
All RSA Public Key lengths supported by the
CA up to and including 4096 bits;</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">>
...</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">> For
Debian weak keys not covered above, the CA
SHALL take actions to minimize the probability
of certificate issuance.
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Hi
Christopher. What sort of "actions" are
envisaged here? If a CA is processing a
certificate request that contains a (for
example) RSA-4088 public key (i.e., a key size
not covered by an available Debian weak list),
either the CA is going to issue the cert or
they're not. What, concretely, does "minimize
the probability of certificate issuance"
actually mean?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Why
not remove that "SHALL" sentence and change
point iii to: "<span style="background-color:rgb(255,255,255);display:inline">iii)
All RSA Public Key lengths supported by the
CA." ?</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">BTW,
in case it helps, I'm about half way through
generating a full set of RSA-8192 Debian weak
keys, which (when complete) I'll add to the
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427579016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4KW%2B7pMSqy83ufpoU3K3ArV76KZGerZuKn%2FDPUQzH00%3D&reserved=0" target="_blank">
https://github.com/CVE-2008-0166</a> repositories.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_-3798143528580690523gmail-m_6461232490569725619x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
Christopher Kemmerer
<a href="mailto:chris@ssl.com" target="_blank"><chris@ssl.com></a><br>
<b>Sent:</b> 13 May 2021 15:12<br>
<b>To:</b> Rob Stradling <a href="mailto:rob@sectigo.com" target="_blank">
<rob@sectigo.com></a>; Dimitris
Zacharopoulos (HARICA) <a href="mailto:dzacharo@harica.gr" target="_blank">
<dzacharo@harica.gr></a>; CA/B
Forum Server Certificate WG Public
Discussion List
<a href="mailto:servercert-wg@cabforum.org" target="_blank"><servercert-wg@cabforum.org></a>;
Jacob Hoffman-Andrews
<a href="mailto:jsha@letsencrypt.org" target="_blank"><jsha@letsencrypt.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX
Ballot proposal: Debian Weak keys</font>
<div> </div>
</div>
<div>
<div style="background-color:rgb(250,250,3);width:100%;border-style:solid;border-color:rgb(0,0,0);border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:"Calibri";color:black;text-align:left"><span>CAUTION:</span>
This email originated from outside of the
organization. Do not click links or open
attachments unless you recognize the
sender and know the content is safe.</div>
<br>
<div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>Hello,</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>We deeply
appreciate the useful discussion
in this thread regarding this
issue. We especially applaud the
efforts of HARICA and
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>Sectigo</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> to independently
generate more comprehensive lists
of potentially affected Debian
weak keys. As Rob Stradling
observed through his crt.sh
research (20210107,
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frobstradling%2Fa5590b6a13218fe561dcb5d5c67932c5&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427588972%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=n08L%2Bixwwtr4CPIVRKVN4hFbUQBCY9Hn1rMxDbr4fxE%3D&reserved=0" target="_blank">
https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a>)
of the five most utilized
algorithm/key size populations,
two are ECC (so not impacted by
the Debian weak key issue) and
three are RSA (</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>2048, 4096, and
3072 bit</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> length, in that
order).</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>As of their most
recent messages it appears that
these two organizations have
independently generated
comprehensive lists identifying
all RSA-</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>2048 and -4096
bit</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> length keys. (We
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>understand</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> RSA-3072 length
keys</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> are also </span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>available</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>.) This offers
the possibility that complete
lists, if accepted as
authoritative, could be accessed
by the community to help prevent
exploitation of this
vulnerability.</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>It was also noted
(by the representative from </span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>Let's</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> Encrypt) that
the ROCA vulnerability is
presently identified through use
of a tool supported externally. It
was suggested that this resource
be archived in a manner that
ensures availability. (Our
proposed language points to "<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2F&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427588972%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=N6HcZbwZZTdkY5lknnq8deftRy5neQ%2BIISeDzJQzxNs%3D&reserved=0" target="_blank">https://github.com/crocs-muni/</a></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>roca</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> or equivalent.")</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>We think our
present ballot language
(reproduced at the end of this
message) provides appropriately
focused guidance to CAs. If
available,
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>we'd</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> certainly like
to also see the HARICA/</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>Sectigo</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> lists (which CAs
could use for the majority of
Debian weak key use cases)
captured somewhere in this ballot
language. We are agnostic as to 1)
where exactly these resources
might be maintained and 2) where
this ballot places directions to
these resources - an annex to the
current requirements, a separate
CA/BF guidance document or within
Sections <a href="http://4.9.1.1/6.1.1.3" target="_blank">4.9.1.1/6.1.1.3</a>.</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>Our intent is to
ensure that 1) clear, accurate
guidance on CA expectations is
provided and 2) any resources
assisting CAs in meeting these
expectations are fully described,
publicly available (somewhere) and
with reliable links provided. The
language below, we feel, meets the
first requirement. </span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>We'd</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> appreciate input
on how to best meet the second.
(Note that SSL.com would be happy
to support the community by
hosting any of these as
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>publicly
accessible</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> resources,
whether solo or alongside other
organizations.)</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>Chris K</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>SSL.com</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>=====</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>--- Motion Begins
---</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>This ballot
modifies the “Baseline
Requirements for the Issuance and
Management of Publicly-Trusted
Certificates” as follows, based on
Version 1.7.</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>4</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>Proposed ballot
language:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif;font-weight:bold" lang="EN-US"><span>4.9.1.1 Reasons
for Revoking a Subscriber
Certificate</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>Replace:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>4. The CA is made
aware of a demonstrated or proven
method that can easily compute the
Subscriber’s Private Key based on
the Public Key in the Certificate
(such as a Debian weak key, see
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427588972%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=iWW%2BuEA9mcbJeC2ib%2BCqL9kX37UmbZc8vmwedxXYPVk%3D&reserved=0" target="_blank">
https://wiki.debian.org/SSLkeys</a>)</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>With:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>4. The CA is made
aware of a demonstrated or proven
method that can easily compute the
Subscriber’s Private Key (such as
those identified in 6.1.1.3(4)).</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>---</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif;font-weight:bold" lang="EN-US"><span>6.1.1.3.
Subscriber Key Pair Generation</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>Replace:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>The CA SHALL
reject a certificate request if
one or more of the following
conditions are met:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>1. The Key Pair
does not meet the requirements set
forth in Section 6.1.5 and/or
Section
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>6.1.6;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>2. There is clear
evidence that the specific method
used to generate the Private Key
was
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>flawed;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>3. The CA is
aware of a demonstrated or proven
method that exposes the
Applicant's Private Key to
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>compromise;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>4. The CA has
previously been made aware that
the Applicant's Private Key has
suffered a Key Compromise, such as
through the provisions of Section
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>4.9.1.1;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>5. The CA is
aware of a demonstrated or proven
method to easily compute the
Applicant's Private Key based on
the Public Key (such as a Debian
weak key, see
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427598936%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ew6NrifPP7aQ%2FpipZPoaVpAbG7f86rD3GNVxH3pXtyo%3D&reserved=0" target="_blank">
https://wiki.debian.org/SSLkeys</a>).</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>With:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>The CA SHALL
reject a certificate request if
one or more of the following
occurs:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>1) The requested
Public Key does not meet the
requirements set forth in Sections
6.1.5 and/or
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>6.1.6;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>2) The CA is
aware of a demonstrated or proven
method that exposes the
Subscriber's Private Key to
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>compromise;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>3) The CA has
previously been made aware that
the Subscriber's Private Key has
suffered a Key Compromise, such as
through the provisions of Section
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>4.9.1.1;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>4) The Public Key
corresponds to an industry
demonstrated weak Private Key, in
particular:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>a) In the case of
ROCA vulnerability, the CA SHALL
reject keys identified by the
tools available at
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427598936%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zqHEv702oWQ2YA9BB57%2F9QtaMb1FIrSqe5ErCKo83e0%3D&reserved=0" target="_blank">
https://github.com/crocs-muni/roca</a> or equivalent.</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>b) In the case of
Debian weak keys (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427608887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Vf3oSwAp6t5ogXcgdDaIoXh7GRNnMuMye0oAB3t44vE%3D&reserved=0" target="_blank">https://wiki.debian.org/SSLkeys</a>),
the CA SHALL reject at least keys
generated by the flawed OpenSSL
version with the combination of
the following parameters:</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>i</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>) Big-endian
32-bit, little-endian 32-bit, and
little-endian 64-bit </span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>architecture;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>ii) Process ID of
0 to 32767, </span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>inclusive;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>iii) All RSA
Public Key lengths supported by
the CA up to and including 4096 </span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>bits;</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>iv)
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>rnd</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>,
</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>nornd</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>, and </span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>noreadrnd</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span> OpenSSL random
file state.</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>For Debian weak
keys not covered above, the CA
SHALL take actions to minimize the
probability of certificate
issuance.</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span></span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div style="direction:ltr">
<p style="margin:0px;font-weight:normal;font-style:normal;vertical-align:baseline;background-color:transparent;color:windowtext;text-align:left;padding-left:0px;padding-right:0px;text-indent:0px"><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span>--- Motion Ends
---</span></span><span style="font-size:11pt;line-height:19.425px;font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
</span></p>
</div>
<div>On 1/18/2021 3:34 PM, Rob Stradling
wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">>
I'm mid-way through generating the
RSA-4096 keys.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">The
RSA-4096 private keys and blocklists
are now in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427608887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0znFAjKLax7sMw9zd1dVNwocZ1JRxKXOiLvAzs4vu5I%3D&reserved=0" target="_blank">
https://github.com/CVE-2008-0166/private_keys</a> and <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fopenssl_blocklists&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427608887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NOXBe3t1dfJTyboeg%2BFKYZepK%2Fuu84FH5%2BL0P3gQelU%3D&reserved=0" target="_blank">
https://github.com/CVE-2008-0166/openssl_blocklists</a>.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">The
RSA-2048 and RSA-4096 private keys in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHARICA-official%2Fdebian-weak-keys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427618846%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Dhqfdr2dGsccIDXxzX8W3swXYMfkuSdEyofm8IrY6w0%3D&reserved=0" target="_blank">https://github.com/HARICA-official/debian-weak-keys</a> (which
only covers 2 of the 3 word size /
endianness combinations) are identical
to the equivalents in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427618846%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4jGuws7jDh%2FSA0tNHNwYP6WoSL2YHeJsgmNB43el4kw%3D&reserved=0" target="_blank">https://github.com/CVE-2008-0166/private_keys</a>.</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_-3798143528580690523gmail-m_6461232490569725619x_x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
Dimitris Zacharopoulos (HARICA)
<a href="mailto:dzacharo@harica.gr" target="_blank"><dzacharo@harica.gr></a><br>
<b>Sent:</b> 14 January 2021 18:39<br>
<b>To:</b> Rob Stradling <a href="mailto:rob@sectigo.com" target="_blank">
<rob@sectigo.com></a>;
CA/B Forum Server Certificate WG
Public Discussion List <a href="mailto:servercert-wg@cabforum.org" target="_blank">
<servercert-wg@cabforum.org></a>; Jacob Hoffman-Andrews <a href="mailto:jsha@letsencrypt.org" target="_blank">
<jsha@letsencrypt.org></a>;
Christopher Kemmerer <a href="mailto:chris@ssl.com" target="_blank">
<chris@ssl.com></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot
proposal: Debian Weak keys</font>
<div> </div>
</div>
<div>
<div style="background-color:rgb(250,250,3);width:100%;border-style:solid;border-color:rgb(0,0,0);border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:"Calibri";color:black;text-align:left"><span>CAUTION:</span>
This email originated from outside
of the organization. Do not click
links or open attachments unless
you recognize the sender and know
the content is safe.</div>
<br>
<div><br>
<br>
<div>On 14/1/2021 12:30 π.μ., Rob
Stradling wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Thanks
Dmitris.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">So
far I've generated the
RSA-2048 and RSA-3072 keys
using <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fkey_generator&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427618846%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=X%2FYscZuPRVGJL8QEL20esewX8EBq2XmujevGMoNyc5k%3D&reserved=0" target="_blank">
https://github.com/CVE-2008-0166/key_generator</a> and uploaded them to
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427628804%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=M9YAvqYsZBsy7ylSBD2PRWn5FD%2B5e0mAW3g09%2F%2Fi01Q%3D&reserved=0" target="_blank">
https://github.com/CVE-2008-0166/private_keys</a>, and I've generated
the corresponding blocklists
and uploaded them to
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fopenssl_blocklists&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427628804%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qs90ivAJks%2BHIgRFMo7waVR06sAfeOnVy%2Fd3uvhZwBc%3D&reserved=0" target="_blank">
https://github.com/CVE-2008-0166/openssl_blocklists</a>. My RSA-2048
blocklists exactly match the
ones from the original Debian
openssl-blacklist package.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">I'm
mid-way through generating the
RSA-4096 keys.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Let's
compare keys when we're both
done. <span id="gmail-m_-3798143528580690523gmail-m_6461232490569725619x_x_x_x_🙂">🙂</span></div>
</blockquote>
<br>
Certainly :-) the RSA-2048 keys
already match the fingerprints
from the openssl-blacklist Debian
package.<br>
<br>
We did this work several months
ago but never found the time to
make it publicly available. We
managed to break down the big task
and run jobs in parallel which
made things a bit more
interesting.<br>
<br>
It's nice we did this
independently, I guess it
increases the accuracy level of
the resulted keys :)<br>
<br>
<br>
Cheers,<br>
Dimitris.<br>
<br>
<blockquote type="cite">
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_-3798143528580690523gmail-m_6461232490569725619x_x_x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
Dimitris Zacharopoulos
(HARICA)
<a href="mailto:dzacharo@harica.gr" target="_blank"><dzacharo@harica.gr></a><br>
<b>Sent:</b> 13 January
2021 21:49<br>
<b>To:</b> Rob Stradling <a href="mailto:rob@sectigo.com" target="_blank">
<rob@sectigo.com></a>;
CA/B Forum Server
Certificate WG Public
Discussion List <a href="mailto:servercert-wg@cabforum.org" target="_blank">
<servercert-wg@cabforum.org></a>; Jacob Hoffman-Andrews <a href="mailto:jsha@letsencrypt.org" target="_blank">
<jsha@letsencrypt.org></a>; Christopher Kemmerer <a href="mailto:chris@ssl.com" target="_blank">
<chris@ssl.com></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX
Ballot proposal: Debian
Weak keys</font>
<div> </div>
</div>
<div>
<div style="background-color:rgb(250,250,3);width:100%;border-style:solid;border-color:rgb(0,0,0);border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:"Calibri";color:black;text-align:left"><span>CAUTION:</span>
This email originated from
outside of the
organization. Do not click
links or open attachments
unless you recognize the
sender and know the
content is safe.</div>
<br>
<div>Dear friends,<br>
<br>
HARICA has generated the
weak keys (RSA 2048 and
4096 bit lengths) from the
vulnerable openssl
package. We will generate
3072 bit keys as well and
add them soon. The
methodology is described
in the following GitHub
repo along with the
produced keys:<br>
<ul>
<li><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHARICA-official%2Fdebian-weak-keys&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427638763%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2LMewzOLNRKgtOoPARP4WDsHJBpwKiVlu8xYOWO4TtI%3D&reserved=0" target="_blank">https://github.com/HARICA-official/debian-weak-keys</a></li>
</ul>
Please review and let us
know if you spot any
issues or problems with
our approach and
methodology.<br>
<br>
As always, please use
other people's work at
your own risk.<br>
<br>
<br>
Dimitris.<br>
<br>
<div>On 7/1/2021 2:25
μ.μ., Rob Stradling via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">I've
used crt.sh to produce
a survey of key
algorithms/sizes in
currently unexpired,
publicly-trusted
server certificates:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frobstradling%2Fa5590b6a13218fe561dcb5d5c67932c5&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427638763%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zyp7rN9Ter7PZFrcoOOJpiD%2FXK4i5ywH76X%2BC5d4Yeo%3D&reserved=0" target="_blank">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a><br>
</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">The
four most popular
choices are no
surprise: RSA-2048,
P-256, RSA-4096, and
P-384.
openssl-blacklist
covers RSA-2048 and
RSA-4096, and ECC
keys are implicitly
not Debian weak
keys.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt">Fifth
most popular is
RSA-3072, with
over 3 million
unexpired,
publicly-trusted
server certs.
openssl-blacklist
doesn't cover
RSA-3072, but ISTM
that this is a key
size that CAs will
want to permit.</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">Some
of the lesser used
key sizes are mostly
likely due to
Subscriber typos
(e.g., 2408 and 3048
were probably
intended to be 2048,
4048 was probably
intended to be
either 2048 or 4096,
etc), but some of
the other ones look
like they were
deliberately chosen
(e.g., 2432 is
2048+384). Is it
worth generating
Debian weak
keys/blocklists for
any of these key
sizes?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FSpecialPublications%2FNIST.SP.800-57pt1r5.pdf&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427638763%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3liYc3twFgYbd%2F6JAQ96%2FDoNMMKUFsPlkMznegF77GM%3D&reserved=0" target="_blank">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf</a> (Table
4, p59) permits
RSA-2048 until the
end of 2030,
whereas </span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sogis.eu%2Fdocuments%2Fcc%2Fcrypto%2FSOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427648716%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t8p%2BoIE1SPC8qw1mnFrEeO%2BWHYB%2FVOA3lkU1sef%2ByWU%3D&reserved=0" style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt" target="_blank">https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf</a> permits
RSA-2048 only until
the end of 2025. It
is of course
possible that
quantum computing
will render RSA
obsolete before
Subscribers need to
think about which
larger RSA keysize
they want to migrate
to; however, it
seems prudent to
also plan for the
possibility that RSA
will survive and
that some other RSA
keysize(s) might
become popular.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_-3798143528580690523gmail-m_6461232490569725619x_x_x_x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri,
sans-serif" color="#000000"><b>From:</b>
Servercert-wg
<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">
<servercert-wg-bounces@cabforum.org></a> on behalf of Rob
Stradling via
Servercert-wg
<a href="mailto:servercert-wg@cabforum.org" target="_blank">
<servercert-wg@cabforum.org></a><br>
<b>Sent:</b> 06
January 2021 16:08<br>
<b>To:</b> Jacob
Hoffman-Andrews <a href="mailto:jsha@letsencrypt.org" target="_blank">
<jsha@letsencrypt.org></a>; Christopher Kemmerer <a href="mailto:chris@ssl.com" target="_blank">
<chris@ssl.com></a>; CA/B Forum Server Certificate WG Public
Discussion List <a href="mailto:servercert-wg@cabforum.org" target="_blank">
<servercert-wg@cabforum.org></a><br>
<b>Subject:</b>
Re:
[Servercert-wg]
SCXX Ballot
proposal: Debian
Weak keys</font>
<div> </div>
</div>
<div dir="ltr">
<div style="background-color:rgb(250,250,3);width:100%;border-style:solid;border-color:rgb(0,0,0);border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:"Calibri";color:black;text-align:left"><span>CAUTION:</span>
This email
originated from
outside of the
organization. Do
not click links or
open attachments
unless you
recognize the
sender and know
the content is
safe.</div>
<br>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="margin:0px;font-size:12pt">Jacob
wrote:</div>
<div style="margin:0px;font-size:12pt">>
Lastly, I
think we
should archive
openssl-blacklist, and include in the BRs: "A CA may reject the full set
of Debian weak
keys by
rejecting this
superset of
the Debian
weak keys:</div>
<div style="margin:0px;font-size:12pt">><br>
<div>> -
All RSA public
keys with
modulus
lengths other
than 2048 or
4096, and</div>
<div>> -
All RSA public
keys with
exponents
other than
65537, and</div>
<div><br>
</div>
<div>Hi
Jacob. 65537
(aka 0x10001)
is hard-coded
here...</div>
<div><span style="background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div><span style="background-color:rgb(255,255,255);display:inline"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2FOpenSSL_0_9_8f%2Fapps%2Freq.c%23L768&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427648716%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4ROhglN%2FjGObdJvEVKvM90IxeO7IhKtPubHTUBzBkhY%3D&reserved=0" target="_blank">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</a><br>
</span></div>
<div><br>
</div>
<div>Would it
therefore be
fair to say
that keys with
public
exponents
other than
65537 are
implicitly
<u>not</u> Debian
weak keys?</div>
<div><br>
</div>
> - All RSA
public keys
that are
detected as
vulnerable by
the
openssl-vulnkey
program in the
openssl-blacklist package version 0.5-3 (see addendum), or an equivalent
program."</div>
</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><br>
</div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_-3798143528580690523gmail-m_6461232490569725619x_x_x_x_x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
Servercert-wg
<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">
<servercert-wg-bounces@cabforum.org></a> on behalf of Jacob
Hoffman-Andrews
via
Servercert-wg
<a href="mailto:servercert-wg@cabforum.org" target="_blank">
<servercert-wg@cabforum.org></a><br>
<b>Sent:</b>
12 December
2020 02:21<br>
<b>To:</b>
Christopher
Kemmerer <a href="mailto:chris@ssl.com" target="_blank">
<chris@ssl.com></a>; CA/B Forum Server Certificate WG Public
Discussion
List <a href="mailto:servercert-wg@cabforum.org" target="_blank">
<servercert-wg@cabforum.org></a><br>
<b>Subject:</b>
Re:
[Servercert-wg]
SCXX Ballot
proposal:
Debian Weak
keys</font>
<div> </div>
</div>
<div>
<div style="background-color:rgb(250,250,3);width:100%;border-style:solid;border-color:rgb(0,0,0);border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:"Calibri";color:black;text-align:left"><span>CAUTION:</span>
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</div>
<br>
<div>
<div dir="ltr">Thanks
for your
continued
efforts to
improve this
part of the
BRs! Let's
Encrypt is in
theory
interested in
endorsing, but
I think it
still needs a
bit of work.
Thanks for
incorporating
my most recent
comments on
endianness and
word size vs
11 platforms.<br>
<br>
Goals: We want
CAs to
consistently
not issue
certificates
for weak keys
in general,
and also in
the specific
case of Debian
and ROCA keys.
We want the
definition of
Debian and
ROCA keys to
be clear and
actionable for
as long as
possible -
say, at least
twenty years.<br>
<br>
We have three
ways to
specify Debian
and ROCA keys:
With a list,
with a tool,
or with an
algorithm*.
The original
revision of
this ballot
proposed to
use a list (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2020-April%2F001821.html&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427648716%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YvYqBm1HlforxiPN1zQbeSUf4AW04sLaYCuEjiLfFzA%3D&reserved=0" target="_blank">https://lists.cabforum.org/pipermail/servercert-wg/2020-April/001821.html</a>).
There were two
objections:<br>
<br>
- The list
(openssl-blacklist)
is subject to
change or
removal.<br>
- The list
only covers
2048 and 4096
bit keys.<br>
<br>
The current
draft proposes
specifying a
tool for ROCA
(<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427658670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ybwh7xp1zVuEj8avYqsDHslP2NrZEzoOPOx4bEI4%2B5I%3D&reserved=0" target="_blank">https://github.com/crocs-muni/roca</a>)
and an
algorithm for
Debian keys.<br>
<br>
The ROCA tool
is subject to
change or
removal, just
like the
openssl-blacklist
package. I
propose we
instead
specify ROCA
detection in
terms of the
paper (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrocs.fi.muni.cz%2Fpublic%2Fpapers%2Frsa_ccs17&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427658670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6550FZqHPDF6KM3F17d6rKeCfP0Zau%2BGWYwPYal7acY%3D&reserved=0" target="_blank">https://crocs.fi.muni.cz/public/papers/rsa_ccs17</a>)
and ask for
permission
from the
authors to
archive an
unchanging
copy as an
addendum to
the BRs.<br>
<br>
For Debian
keys, what
looks like an
algorithm
specification
is actually a
tool +
algorithm
specification.
The tool is
"OpenSSL
0.9.8c-1 up to
versions
before
0.9.8g-9 on
Debian-based
operating
systems" (per
CVE-2008-01666
-
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2008-0166&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427658670%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QdZIVGYB%2B3jgtU05nS52CnLACgzSkjXmC%2FonOtuWFa4%3D&reserved=0" target="_blank">
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0166</a>). To ensure
an unchanging
copy of that,
we should
archive 3
copies of
Debian, for
the 3 word
size +
endianness
combinations.<br>
<br>
The algorithm
also needs an
additional
line: "v)
using the
command
'openssl req
-nodes -subj /
-newkey
rsa:<Public
Key
length>'"
(adapted from
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsources.debian.org%2Fdata%2Fmain%2Fo%2Fopenssl-blacklist%2F0.5-3%2Fexamples%2Fgen_certs.sh&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427668630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FmV%2BEdnUMMSfAiJBQfFxfcq98T5WzVgTj%2Bhqjbt7AJY%3D&reserved=0" target="_blank">
https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/examples/gen_certs.sh</a>).
Other tools
that linked
OpenSSL, like
openvpn and
openssh,
generated
different sets
of keys. We
can include or
exclude
openvpn and
openssh keys,
but should
thoroughly
specify.<br>
<br>
Lastly, I
think we
should archive
openssl-blacklist, and include in the BRs: "A CA may reject the full set
of Debian weak
keys by
rejecting this
superset of
the Debian
weak keys:<br>
<br>
- All RSA
public keys
with modulus
lengths other
than 2048 or
4096, and<br>
- All RSA
public keys
with exponents
other than
65537, and<br>
- All RSA
public keys
that are
detected as
vulnerable by
the
openssl-vulnkey
program in the
openssl-blacklist package version 0.5-3 (see addendum), or an equivalent
program."<br>
<br>
My reasoning:
Given the
difficulty of
correctly
setting up old
Debian
versions and
generating
weak keys for
sizes that are
not part of
openssl-blacklist,
I expect most
CAs will
choose this
path. Given
that, we
should just
say what we
mean: the
pregenerated
list is fine
if you
restrict key
sizes, but you
don't *have*
to restrict
key sizes, so
long as you
have an
alternate
method to
ensure you're
not issuing
for Debian
weak keys at
other sizes.<br>
<br>
*I'm
considering
specifying an
algorithm to
be
functionally
equivalent to
specifying an
"outcome,"
though I
recognize this
may be too
hand-wavy.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a>
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=04%7C01%7Crob%40sectigo.com%7Ca505320417514683604108d962906fbc%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637649196427668630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Z77j7m49%2BG5JpAB2aJbLYXkFx2DHsia00M2%2FIRob%2Bqs%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote></div>