<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Thank you, Rob, and shall watch for that update. Meanwhile we are
doing a final-final pass through our draft language for clarity
and will send it early next week.<br>
<br>
</p>
<p>Chris K<br>
<br>
Meanwhile, we've cycled our draft language through another review
and have made IIRC only one or two minor edits for clarity (h/t
BenW).<br>
<br>
<br>
</p>
<div class="moz-cite-prefix">On 10/14/2021 9:49 AM, Rob Stradling
wrote:<br>
</div>
<blockquote type="cite" cite="mid:MW4PR17MB4729D1BD1013B0353B328179AAB89@MW4PR17MB4729.namprd17.prod.outlook.com">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Today I rediscovered that I'd previously generated the RSA-8192
blocklists back in December 2009, and that they're still
available at
<a href="https://secure.sectigo.com/debian_weak_keys/" moz-do-not-send="true" class="moz-txt-link-freetext">https://secure.sectigo.com/debian_weak_keys/</a>.
When I compared the old and new RSA-8192 blocklists, I found
that ~0.8% of the "rnd" keys are different. It looks like, for
reasons unknown, the "OpenSSL random file state" misbehaved
occasionally over the 8 month run that ended recently.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; font-size: 12pt;">I'll report back once
I've regenerated and verified the problematic keys.</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Rob
Stradling <a class="moz-txt-link-rfc2396E" href="mailto:rob@sectigo.com"><rob@sectigo.com></a><br>
<b>Sent:</b> 23 September 2021 19:17<br>
<b>To:</b> Christopher Kemmerer <a class="moz-txt-link-rfc2396E" href="mailto:chris@ssl.com"><chris@ssl.com></a>;
Dimitris Zacharopoulos (HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>;
CA/B Forum Server Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a>; Jacob Hoffman-Andrews
<a class="moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org"><jsha@letsencrypt.org></a>; Rob Stradling
<a class="moz-txt-link-rfc2396E" href="mailto:rob@sectigo.com"><rob@sectigo.com></a><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal:
Debian Weak keys</font>
<div> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
> BTW, in case it helps, I'm about half way through
generating a full set of RSA-8192 Debian weak keys, which
(when complete) I'll add to the
<a class="moz-txt-link-freetext" href="https://github.com/CVE-2008-0166">https://github.com/CVE-2008-0166</a> repositories.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
It took nearly 8 months (using just a single core of a fairly
modest CPU), but it finally finished! Repositories updated.</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a> on behalf of
Rob Stradling via Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Sent:</b> 13 May 2021 15:42<br>
<b>To:</b> Christopher Kemmerer <a class="moz-txt-link-rfc2396E" href="mailto:chris@ssl.com"><chris@ssl.com></a>;
Dimitris Zacharopoulos (HARICA)
<a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>; CA/B Forum Server Certificate
WG Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a>; Jacob Hoffman-Andrews
<a class="moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org"><jsha@letsencrypt.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal:
Debian Weak keys</font>
<div> </div>
</div>
<div dir="ltr">
<p style="margin-top: 0px; margin-bottom:
0px;margin-top:0px; margin-bottom:0px">
</p>
<div style="background-color:#FAFA03; width:100%;
border-style:solid; border-color:#000000;
border-width:1pt; padding:2pt; font-size:10pt;
line-height:12pt; font-family:'Calibri'; color:Black;
text-align:left">
<span style="color:000000">CAUTION:</span> This email
originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender
and know the content is safe.</div>
<br>
<p style="margin-top: 0px; margin-bottom:
0px;margin-top:0px; margin-bottom:0px">
</p>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt">> </span><span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt">iii) All RSA Public Key lengths
supported by the CA up to and including 4096 bits;</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
> ...</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
> For Debian weak keys not covered above, the CA
SHALL take actions to minimize the probability of
certificate issuance.
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Hi Christopher. What sort of "actions" are envisaged
here? If a CA is processing a certificate request that
contains a (for example) RSA-4088 public key (i.e., a
key size not covered by an available Debian weak list),
either the CA is going to issue the cert or they're
not. What, concretely, does "minimize the probability
of certificate issuance" actually mean?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Why not remove that "SHALL" sentence and change point
iii to: "<span style="background-color:rgb(255,255,255);
display:inline!important">iii) All RSA Public Key
lengths supported by the CA." ?</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
BTW, in case it helps, I'm about half way through
generating a full set of RSA-8192 Debian weak keys,
which (when complete) I'll add to the
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217074727%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zl%2BZrS8yTo8rthH5xmpwlnX3SpoRMsdVE%2FclqalKoQc%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166" shash="SCdgemky2IPxGPWLGsNga5t5wSPPDRsho+uyy0X+jwgZS3xd7Eo8HlWINlcH3+7JCx+A0CDwZuqA8BP8HnFN33TsqPOaV9V0KmtL1Yqgqq8IKUJJU42LoC/R8hJtzar8XBMz/gdp6RnL3d1qGtVcEixb+NIBGdjtxg47UAMFg6k=" moz-do-not-send="true">
https://github.com/CVE-2008-0166</a> repositories.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div>
<hr tabindex="-1" style="display:inline-block;
width:98%">
<div id="x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Christopher Kemmerer
<a class="moz-txt-link-rfc2396E" href="mailto:chris@ssl.com"><chris@ssl.com></a><br>
<b>Sent:</b> 13 May 2021 15:12<br>
<b>To:</b> Rob Stradling <a class="moz-txt-link-rfc2396E" href="mailto:rob@sectigo.com"><rob@sectigo.com></a>;
Dimitris Zacharopoulos (HARICA)
<a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>; CA/B Forum Server
Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a>; Jacob
Hoffman-Andrews <a class="moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org"><jsha@letsencrypt.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot
proposal: Debian Weak keys</font>
<div> </div>
</div>
<div>
<p style="margin-top: 0px; margin-bottom:
0px;margin-top:0px; margin-bottom:0px;
margin-top:0px; margin-bottom:0px">
</p>
<div style="background-color:#FAFA03; width:100%;
border-style:solid; border-color:#000000;
border-width:1pt; padding:2pt; font-size:10pt;
line-height:12pt; font-family:'Calibri';
color:Black; text-align:left">
<span style="color:000000">CAUTION:</span> This
email originated from outside of the organization.
Do not click links or open attachments unless you
recognize the sender and know the content is safe.</div>
<br>
<p style="margin-top: 0px; margin-bottom:
0px;margin-top:0px; margin-bottom:0px;
margin-top:0px; margin-bottom:0px">
</p>
<div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_BCX2 x_x_x_SCXW100400534" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">Hello,</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_BCX2 x_x_x_SCXW100400534" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">We deeply
appreciate the useful discussion in this
thread regarding this issue. We especially
applaud the efforts of HARICA and
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SpellingErrorV2 x_x_x_SCXW100400534
x_x_x_BCX2">Sectigo</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> to
independently generate more comprehensive
lists of potentially affected Debian weak
keys. As Rob Stradling observed through his
crt.sh research (20210107,
<a class="x_x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frobstradling%2Fa5590b6a13218fe561dcb5d5c67932c5&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217084682%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KxcClfliIPLheETc%2FQV480nHSRbTo%2FoEK3XgUAk4Yto%3D&reserved=0" originalsrc="https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5" shash="b8+utb8lqQ33v0kquhSxxRl51xMOBRHO512FOUFCV8IlvkPSs1Q3tcBqX2vBFq0RxVVA01giXNHPWb0V7xDFACZO4Ok5ItdleJNPYdgR6sfYQex4OHhAd2wUGtDmadxA8veTEQP+RfioHr0m5OQdioprFDsbjaajQfCQXsz7JBw=" moz-do-not-send="true">
https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a>)
of the five most utilized algorithm/key size
populations, two are ECC (so not impacted by
the Debian weak key issue) and three are RSA
(</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">2048, 4096,
and 3072 bit</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> length, in
that order).</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">As of their
most recent messages it appears that these
two organizations have independently
generated comprehensive lists identifying
all RSA-</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">2048 and
-4096 bit</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> length
keys. (We </span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">understand</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> RSA-3072
length keys</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> are also </span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">available</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">.) This
offers the possibility that complete lists,
if accepted as authoritative, could be
accessed by the community to help prevent
exploitation of this vulnerability.</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">It was also
noted (by the representative from </span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">Let's</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> Encrypt)
that the ROCA vulnerability is presently
identified through use of a tool supported
externally. It was suggested that this
resource be archived in a manner that
ensures availability. (Our proposed language
points to "<a class="x_x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2F&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217084682%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PmKVyPxenhak%2B%2BxkCP7%2FhbHQJ805g%2FYcuYLGz0XxQXU%3D&reserved=0" originalsrc="https://github.com/crocs-muni/" shash="yW/+dyQ1odTON/w+flOVOMi87VFjwsTnpfxbQs9CQ33tqeucYwVchUR4pYFcItz1vgHDVDgYjN8maP6ayn1alGmnt7tDkRyWjKiaFdEtXTgFT1igNtlc4WsjZYfsZhmoWHP2BSAh4j4OxTY7NjBQqHQmrdNL+JS+FKQz3fO2zws=" moz-do-not-send="true">https://github.com/crocs-muni/</a></span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SpellingErrorV2 x_x_x_SCXW100400534
x_x_x_BCX2">roca</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> or
equivalent.")</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">We think our
present ballot language (reproduced at the
end of this message) provides appropriately
focused guidance to CAs. If available,
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">we'd</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> certainly
like to also see the HARICA/</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SpellingErrorV2 x_x_x_SCXW100400534
x_x_x_BCX2">Sectigo</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> lists
(which CAs could use for the majority of
Debian weak key use cases) captured
somewhere in this ballot language. We are
agnostic as to 1) where exactly these
resources might be maintained and 2) where
this ballot places directions to these
resources - an annex to the current
requirements, a separate CA/BF guidance
document or within Sections 4.9.1.1/6.1.1.3.</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">Our intent
is to ensure that 1) clear, accurate
guidance on CA expectations is provided and
2) any resources assisting CAs in meeting
these expectations are fully described,
publicly available (somewhere) and with
reliable links provided. The language below,
we feel, meets the first requirement. </span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">We'd</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> appreciate
input on how to best meet the second. (Note
that SSL.com would be happy to support the
community by hosting any of these as
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">publicly
accessible</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> resources,
whether solo or alongside other
organizations.)</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">Chris K</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">SSL.com</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
<br>
</span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">=====</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">--- Motion
Begins ---</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">This ballot
modifies the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted
Certificates” as follows, based on Version
1.7.</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">4</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">Proposed
ballot language:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif;
font-weight:bold" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">4.9.1.1
Reasons for Revoking a Subscriber
Certificate</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">Replace:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">4. The CA is
made aware of a demonstrated or proven
method that can easily compute the
Subscriber’s Private Key based on the Public
Key in the Certificate (such as a Debian
weak key, see
<a class="x_x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217094639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BFBuQxgO8FcG50FeHeHSmrnJjZ6jQHddP5iqg2cwc%2Bw%3D&reserved=0" originalsrc="https://wiki.debian.org/SSLkeys" shash="NAqMgGyCq30FfvIaz4F4C1kZSy1MVb1BPKxFNbTnvyQJHNjGuTeM3UX84eYgRj5QXCy/oWRHP04Jnnx926go1BdDmwOu98f7WZZZ0gA1ik84Snf19eXcJt1cmcjHxJX39rkZv7w3SnqxhC9NTe0L0gKF2gC4xZ2NX2mQCaLyM4I=" moz-do-not-send="true">
https://wiki.debian.org/SSLkeys</a>)</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">With:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">4. The CA is
made aware of a demonstrated or proven
method that can easily compute the
Subscriber’s Private Key (such as those
identified in 6.1.1.3(4)).</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">---</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif;
font-weight:bold" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">6.1.1.3.
Subscriber Key Pair Generation</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">Replace:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">The CA SHALL
reject a certificate request if one or more
of the following conditions are met:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">1. The Key
Pair does not meet the requirements set
forth in Section 6.1.5 and/or Section
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">6.1.6;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">2. There is
clear evidence that the specific method used
to generate the Private Key was
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">flawed;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">3. The CA is
aware of a demonstrated or proven method
that exposes the Applicant's Private Key to
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">compromise;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">4. The CA
has previously been made aware that the
Applicant's Private Key has suffered a Key
Compromise, such as through the provisions
of Section
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">4.9.1.1;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">5. The CA is
aware of a demonstrated or proven method to
easily compute the Applicant's Private Key
based on the Public Key (such as a Debian
weak key, see
<a class="x_x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217104593%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PHaY1K1EU0Kp735Bq9LwL0upowvpAHUqY7VLm7hwfog%3D&reserved=0" originalsrc="https://wiki.debian.org/SSLkeys" shash="vSs3I250l3Q07Y+lUBUR/7ZbafWukdvvSFyg15Go2KvpSwVBmKgcpUTaOjw9R0IQLVw5GT0h6aMMh6xaRqq6+DYs0J+L7kjkJL3/q6XcxEbDF5aLnuHbEBWUPHi9hNjkszbQvjJ/sm8V9P0SA0OpQa0SWbc+oOc6y2wyaizZPWE=" moz-do-not-send="true">
https://wiki.debian.org/SSLkeys</a>).</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">With:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">The CA SHALL
reject a certificate request if one or more
of the following occurs:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">1) The
requested Public Key does not meet the
requirements set forth in Sections 6.1.5
and/or
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">6.1.6;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">2) The CA is
aware of a demonstrated or proven method
that exposes the Subscriber's Private Key to
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">compromise;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">3) The CA
has previously been made aware that the
Subscriber's Private Key has suffered a Key
Compromise, such as through the provisions
of Section
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">4.9.1.1;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">4) The
Public Key corresponds to an industry
demonstrated weak Private Key, in
particular:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">a) In the
case of ROCA vulnerability, the CA SHALL
reject keys identified by the tools
available at
<a class="x_x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217104593%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IbahtE1nhkv01V6tdRcL3%2Be3r3pmow0T7UVY6rWGvRk%3D&reserved=0" originalsrc="https://github.com/crocs-muni/roca" shash="C1kpPMMBsXWahxch4MAoOWdX8JNgvCWBV4IyNKFI7Z4ZikF3gABvKGrMULzVyPXovZIdoFsSxw6YOBTbxR7bC2Ernrh2vf61X01afXyeMHRyujMWDfb1kLKE9QuAVMpe2fEMh1d44ss71DV3akayhMtJEu7OSwx7aGTFWPwGwkM=" moz-do-not-send="true">
https://github.com/crocs-muni/roca</a> or
equivalent.</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">b) In the
case of Debian weak keys (<a class="x_x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217114550%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ivYda%2Bw1kFPj2gIcjGeq%2FZLsoi3GDOPiBn%2FnHZ8kflM%3D&reserved=0" originalsrc="https://wiki.debian.org/SSLkeys" shash="wgNIsTgJY/lZcFWQME2qeXC67JQt1BPYeDgzTQxRyhgQOYBsRmp1S3BmITJVZL1AdOj0XTJWumZA1q1MVqKH/HmTjHi4BHgKL3PRuk41q7hrFrJzqG5ub7jQ6PFmMRpgIJ1YTHFslIFqzEbikQOSRO5uHhjWNx3omUz+oe+chyw=" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a>),
the CA SHALL reject at least keys generated
by the flawed OpenSSL version with the
combination of the following parameters:</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SpellingErrorV2 x_x_x_SCXW100400534
x_x_x_BCX2">i</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">) Big-endian
32-bit, little-endian 32-bit, and
little-endian 64-bit </span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">architecture;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">ii) Process
ID of 0 to 32767, </span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">inclusive;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">iii) All RSA
Public Key lengths supported by the CA up to
and including 4096 </span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_ContextualSpellingAndGrammarErrorV2
x_x_x_SCXW100400534 x_x_x_BCX2">bits;</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">iv)
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SpellingErrorV2 x_x_x_SCXW100400534
x_x_x_BCX2">rnd</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">,
</span></span><span class="x_x_x_TextRun
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SpellingErrorV2 x_x_x_SCXW100400534
x_x_x_BCX2">nornd</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">, and </span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SpellingErrorV2 x_x_x_SCXW100400534
x_x_x_BCX2">noreadrnd</span></span><span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"> OpenSSL
random file state.</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">For Debian
weak keys not covered above, the CA SHALL
take actions to minimize the probability of
certificate issuance.</span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2"></span></span><span class="x_x_x_EOP x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"> </span></p>
</div>
<div class="x_x_x_OutlineElement x_x_x_Ltr
x_x_x_SCXW100400534 x_x_x_BCX2" style="direction:ltr">
<p class="x_x_x_Paragraph x_x_x_SCXW100400534
x_x_x_BCX2" style="margin-top: 0px;
margin-bottom: 0px;margin-top:0px;
margin-bottom:0px; margin-top:0px;
margin-bottom:0px; font-weight:normal;
font-style:normal; vertical-align:baseline;
background-color:transparent; color:windowtext;
text-align:left; margin-left:0px;
margin-right:0px; padding-left:0px;
padding-right:0px; text-indent:0px">
<span class="x_x_x_TextRun x_x_x_SCXW100400534
x_x_x_BCX2" style="font-size:11pt;
line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif" lang="EN-US"><span class="x_x_x_NormalTextRun
x_x_x_SCXW100400534 x_x_x_BCX2">--- Motion
Ends ---</span></span><span class="x_x_x_EOP
x_x_x_SCXW100400534 x_x_x_BCX2" style="font-size:11pt; line-height:19.425px;
font-family:Calibri,Calibri_EmbeddedFont,Calibri_MSFontService,sans-serif"><br>
</span></p>
</div>
<div class="x_x_x_moz-cite-prefix">On 1/18/2021 3:34
PM, Rob Stradling wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
> I'm mid-way through generating the RSA-4096
keys.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
The RSA-4096 private keys and blocklists are now
in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217114550%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KWBNwIlyUPcvrvaKg8iPgBQ5FI9pPMluRzaew4zPd%2BI%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166/private_keys" shash="ctKku6e0Zr6ivsjUbQLG2R51PIfC1NOuA4zEijUp9wJXss3rFtCAkhymXn7w8tDGRNAyy4RO05Hmno0KAfJi1FO16ru/5Z25rwCokh29buj8t3cZKMcerQD1lpHhkAlCeHgV8JoSQS/gGK9e/sCBeLI2XE97g4Oi3xRREuh+9nU=" moz-do-not-send="true">
https://github.com/CVE-2008-0166/private_keys</a> and
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fopenssl_blocklists&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217124508%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3fRkMQs0eFWpwRX6mKOntrHQGooglWuu03LB49ERhCQ%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166/openssl_blocklists" shash="cLwiJZSx1JYmd/vMXMn7/0bVD878H2FM+RUJ4zIueUj4NNz0tjPLiNrLsIrXKp6gjmwg86Xxmw+Fr7ePg5ivgSMoIV3CujI1jLslzUGJim/K5I+kk6Hwz1MAEXa1y0bzeyXXwfviZyFmzRSE7LTJ951MCVqDryU6w90d89uoZho=" moz-do-not-send="true">
https://github.com/CVE-2008-0166/openssl_blocklists</a>.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
The RSA-2048 and RSA-4096 private keys in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHARICA-official%2Fdebian-weak-keys&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217124508%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=UGwMkOD1q1jxIXPHuJJUsCIDwLSDgvWj0hRnu7y1fiY%3D&reserved=0" originalsrc="https://github.com/HARICA-official/debian-weak-keys" shash="dTIZqHbY9PWljFF5I+PDkArCKpkiRNR/ARkVK+Ggk7K3K5Ne7qWK3lv7DEGYzHj5jXbitZrvWwkbUSZKWJbnioHgEjUJmNecj599pJQTTMbpVujGZpUTJ/iK1khWFiJ+b98AZKqFXFQn0K6KY46KcqdgMMRFgtoVm52/xcipCfQ=" moz-do-not-send="true">https://github.com/HARICA-official/debian-weak-keys</a> (which
only covers 2 of the 3 word size / endianness
combinations) are identical to the equivalents
in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217134467%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DfRGy7XTHeCCr%2Bvg91ai%2BwJgIJv3cDiZnaF87DjYCHs%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166/private_keys" shash="skc1RlTSs+iUt+4TYtf/KHVWG8Ez7dXmAgYedjoo+d9ok5ULL/80cf2GuXVj6Z2aCT/sIn+DZLnYaFYr8Vx7g214hJ759V+cCesLoTaay0cchRXcJX0G1OadutjPtPXWvWCbM8lXIA2ro0TgOR/UaCOZ4Re7QJIUOA9RPVNk5g8=" moz-do-not-send="true">https://github.com/CVE-2008-0166/private_keys</a>.</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block;
width:98%">
<div id="x_x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri,
sans-serif" color="#000000"><b>From:</b>
Dimitris Zacharopoulos (HARICA)
<a class="x_x_x_moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr" moz-do-not-send="true"><dzacharo@harica.gr></a><br>
<b>Sent:</b> 14 January 2021 18:39<br>
<b>To:</b> Rob Stradling <a class="x_x_x_moz-txt-link-rfc2396E" href="mailto:rob@sectigo.com" moz-do-not-send="true">
<rob@sectigo.com></a>; CA/B Forum
Server Certificate WG Public Discussion List
<a class="x_x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true">
<servercert-wg@cabforum.org></a>;
Jacob Hoffman-Andrews <a class="x_x_x_moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org" moz-do-not-send="true">
<jsha@letsencrypt.org></a>;
Christopher Kemmerer <a class="x_x_x_moz-txt-link-rfc2396E" href="mailto:chris@ssl.com" moz-do-not-send="true">
<chris@ssl.com></a><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX
Ballot proposal: Debian Weak keys</font>
<div> </div>
</div>
<div>
<div style="background-color:#FAFA03;
width:100%; border-style:solid;
border-color:#000000; border-width:1pt;
padding:2pt; font-size:10pt;
line-height:12pt; font-family:'Calibri';
color:Black; text-align:left">
<span style="color:000000">CAUTION:</span>
This email originated from outside of the
organization. Do not click links or open
attachments unless you recognize the sender
and know the content is safe.</div>
<br>
<div><br>
<br>
<div class="x_x_x_x_moz-cite-prefix">On
14/1/2021 12:30 π.μ., Rob Stradling wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Thanks Dmitris.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
So far I've generated the RSA-2048 and
RSA-3072 keys using <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fkey_generator&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217134467%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=i8tJYB5eeKFqK1IW7fRfUuZYkU7a0nsa53tO3n2Oe2Y%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166/key_generator" shash="GyFJugw/a2V6P4LRzxhEht5vFzWv7bsPcu5S9vjAgv3SeHPlK85apjej01JAcRHFgOH7LRbYW7ZQ2mgCiC6UfsgVywEZ44tYjUe3BL4ys85R7HjsAObRbRl+MQvPPdghMAFBvv5TRdxGq0Cy8IqRaaMyJwGgIRTEBy3rOO+NgtU=" moz-do-not-send="true">
https://github.com/CVE-2008-0166/key_generator</a> and uploaded them to
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217144421%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gMWLE%2FC%2FADXIuHQgkf%2BdZaMDM2Fl2p2kY%2FDSHu4STxY%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166/private_keys" shash="mrlVfdmRuE9naSkRjrB3XDL7jfXAH0GP350rkjRnMHVLHOFPlY1OJRRZeVkhgy4VroAknnuZ6xPSrll1pwHXyouAXub9CRgQ3EqlpvgLJRGbZqe104CtQMuE9SlPh3V4mFnxOYEXc3yFpIEnfQ0F+TBudnQeCE7IC1+v8XZE/ao=" moz-do-not-send="true">
https://github.com/CVE-2008-0166/private_keys</a>, and I've generated
the corresponding blocklists and
uploaded them to
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fopenssl_blocklists&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217154377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bb31TV4W%2FDDFp8OmDvOCvUFCpFtHLgJvDzYtQ7aDu2w%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166/openssl_blocklists" shash="Zva5ArXjyqHJhvDRIuMhYSSv4qOa3SOKOG+fbOJQKyybRv79lqwvCCY/UwSAjzuaPrNY5fAnyieTISK+3n7iTxdqVkeF+zbfnwT31OMrG0d9ufu6PolKIeUpLUnoUGkl4LMsrPql8tCF/Ti8+AknbzuBjlIldtz6DvIsWyiJd2g=" moz-do-not-send="true">
https://github.com/CVE-2008-0166/openssl_blocklists</a>. My RSA-2048
blocklists exactly match the ones from
the original Debian openssl-blacklist
package.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
I'm mid-way through generating the
RSA-4096 keys.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Let's compare keys when we're both
done. <span id="x_x_x_x_🙂">🙂</span></div>
</blockquote>
<br>
Certainly :-) the RSA-2048 keys already
match the fingerprints from the
openssl-blacklist Debian package.<br>
<br>
We did this work several months ago but
never found the time to make it publicly
available. We managed to break down the big
task and run jobs in parallel which made
things a bit more interesting.<br>
<br>
It's nice we did this independently, I guess
it increases the accuracy level of the
resulted keys :)<br>
<br>
<br>
Cheers,<br>
Dimitris.<br>
<br>
<blockquote type="cite">
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block;
width:98%">
<div id="x_x_x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
Dimitris Zacharopoulos (HARICA)
<a class="x_x_x_x_moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr" moz-do-not-send="true"><dzacharo@harica.gr></a><br>
<b>Sent:</b> 13 January 2021 21:49<br>
<b>To:</b> Rob Stradling <a class="x_x_x_x_moz-txt-link-rfc2396E" href="mailto:rob@sectigo.com" moz-do-not-send="true">
<rob@sectigo.com></a>; CA/B
Forum Server Certificate WG Public
Discussion List <a class="x_x_x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true">
<servercert-wg@cabforum.org></a>;
Jacob Hoffman-Andrews <a class="x_x_x_x_moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org" moz-do-not-send="true">
<jsha@letsencrypt.org></a>;
Christopher Kemmerer <a class="x_x_x_x_moz-txt-link-rfc2396E" href="mailto:chris@ssl.com" moz-do-not-send="true">
<chris@ssl.com></a><br>
<b>Subject:</b> Re: [Servercert-wg]
SCXX Ballot proposal: Debian Weak
keys</font>
<div> </div>
</div>
<div>
<div style="background-color:#FAFA03;
width:100%; border-style:solid;
border-color:#000000;
border-width:1pt; padding:2pt;
font-size:10pt; line-height:12pt;
font-family:'Calibri'; color:Black;
text-align:left">
<span style="color:000000">CAUTION:</span>
This email originated from outside
of the organization. Do not click
links or open attachments unless you
recognize the sender and know the
content is safe.</div>
<br>
<div>Dear friends,<br>
<br>
HARICA has generated the weak keys
(RSA 2048 and 4096 bit lengths) from
the vulnerable openssl package. We
will generate 3072 bit keys as well
and add them soon. The methodology
is described in the following GitHub
repo along with the produced keys:<br>
<ul>
<li><a class="x_x_x_x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHARICA-official%2Fdebian-weak-keys&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217154377%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MXJsH%2FmY6leMCDewbsU6JbeeEcem0u5rJu8gk9YdqR8%3D&reserved=0" originalsrc="https://github.com/HARICA-official/debian-weak-keys" shash="rtrVFX37CXgLPfn9n1gPp2+kIfWjC1+qqMUUSH6MpunpEdJCpT4MBpvGh4huvKZxRXWONtF4t5+a/nWFh0drmHe2YDweRYt833kps2dg/jrNhzd4vN7ogXg1As0aW4Sqhs4sjpU7caOJkV2GRIq3pSJ2VvdPq3J0ZaZmFg1P5lU=" moz-do-not-send="true">https://github.com/HARICA-official/debian-weak-keys</a></li>
</ul>
Please review and let us know if you
spot any issues or problems with our
approach and methodology.<br>
<br>
As always, please use other people's
work at your own risk.<br>
<br>
<br>
Dimitris.<br>
<br>
<div class="x_x_x_x_x_moz-cite-prefix">On
7/1/2021 2:25 μ.μ., Rob Stradling
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
I've used crt.sh to produce a
survey of key algorithms/sizes
in currently unexpired,
publicly-trusted server
certificates:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frobstradling%2Fa5590b6a13218fe561dcb5d5c67932c5&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217164330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xjks4ZUMTP0hJ2FfET89jZDX1t9OjjyKvU7aMtOWk8A%3D&reserved=0" originalsrc="https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5" shash="MPsXYtMGY25nYYrebOMibyVpO7V/shna8H0X621iee75J9Y/xEPi23fH/NyrWLukALsnXJChcfeFuBFXxhU2esTRI/pNeCrxHaFm9lgeGQavMRatXY6r1kZllz2OurWsY8jRrsogNzkE/AJ2zETztZD8GlNiZry8tCFzpwHKmtQ=" moz-do-not-send="true">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a><br>
</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
The four most popular choices
are no surprise: RSA-2048,
P-256, RSA-4096, and P-384.
openssl-blacklist covers
RSA-2048 and RSA-4096, and ECC
keys are implicitly not Debian
weak keys.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt">Fifth
most popular is RSA-3072,
with over 3 million
unexpired, publicly-trusted
server certs.
openssl-blacklist doesn't
cover RSA-3072, but ISTM
that this is a key size that
CAs will want to permit.</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
Some of the lesser used key
sizes are mostly likely due to
Subscriber typos (e.g., 2408
and 3048 were probably
intended to be 2048, 4048 was
probably intended to be either
2048 or 4096, etc), but some
of the other ones look like
they were deliberately chosen
(e.g., 2432 is 2048+384). Is
it worth generating Debian
weak keys/blocklists for any
of these key sizes?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<span style="color:rgb(0,0,0);
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FSpecialPublications%2FNIST.SP.800-57pt1r5.pdf&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217164330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8ViOp4z45yyVKMH87lrF0fFZ80huwEtPxw9QyRRzs5I%3D&reserved=0" originalsrc="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf" shash="yzkFJvdIJX63zEe8gHceaf70pn1zmNQzzbqYV50VgECMNOUogvw8Syu8zLoH4QKFMVkx02sH2Da8K05tHHXPibMFNpFJ+a6/ddDf5W0bVMHcMrBgGZrmNtnXskgqPdVLTle3IMLnX0Z3kVqj5okqS3JGZ3pw6Xjy0VuMPEeC1Zg=" moz-do-not-send="true">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf</a> (Table
4, p59) permits RSA-2048
until the end of 2030,
whereas </span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sogis.eu%2Fdocuments%2Fcc%2Fcrypto%2FSOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217174300%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jloaFDmapMElTMrMjq4cq%2BdKKB81F18ieo%2FGdeMeifI%3D&reserved=0" originalsrc="https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf" shash="J4qrZcUgF0BQQCnHBJAx8q4z37wLk2B0T1V8es8DOLUSDxh7gd6PvuhT+yHvYCjCiubjREfwwoBdeLpBejL6d0bkc+QbtDdYX8T9/ZkfnQ6FEAMCPBilelqTJajoxdLGEDbE0kE44HykmuZ4f1knLjsVg1kFrQsvDqYbfvcsUCM=" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt" moz-do-not-send="true">https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pd
f</a> permits
RSA-2048 only until the end of
2025. It is of course
possible that quantum
computing will render RSA
obsolete before Subscribers
need to think about which
larger RSA keysize they want
to migrate to; however, it
seems prudent to also plan for
the possibility that RSA will
survive and that some other
RSA keysize(s) might become
popular.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block;
width:98%">
<div id="x_x_x_x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
Servercert-wg
<a class="x_x_x_x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org" moz-do-not-send="true">
<servercert-wg-bounces@cabforum.org></a> on behalf of Rob
Stradling via Servercert-wg
<a class="x_x_x_x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true">
<servercert-wg@cabforum.org></a><br>
<b>Sent:</b> 06 January 2021
16:08<br>
<b>To:</b> Jacob
Hoffman-Andrews <a class="x_x_x_x_x_moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org" moz-do-not-send="true">
<jsha@letsencrypt.org></a>; Christopher Kemmerer <a class="x_x_x_x_x_moz-txt-link-rfc2396E" href="mailto:chris@ssl.com" moz-do-not-send="true">
<chris@ssl.com></a>;
CA/B Forum Server
Certificate WG Public
Discussion List <a class="x_x_x_x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true">
<servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot
proposal: Debian Weak keys</font>
<div> </div>
</div>
<div dir="ltr">
<div style="background-color:#FAFA03;
width:100%;
border-style:solid;
border-color:#000000;
border-width:1pt;
padding:2pt; font-size:10pt;
line-height:12pt;
font-family:'Calibri';
color:Black;
text-align:left">
<span style="color:000000">CAUTION:</span>
This email originated from
outside of the organization.
Do not click links or open
attachments unless you
recognize the sender and
know the content is safe.</div>
<br>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<div style="margin:0px;
font-size:12pt">Jacob
wrote:</div>
<div style="margin:0px;
font-size:12pt">>
Lastly, I think we
should archive
openssl-blacklist, and
include in the BRs: "A
CA may reject the full
set of Debian weak keys
by rejecting this
superset of the Debian
weak keys:</div>
<div style="margin:0px;
font-size:12pt">><br>
<div>> - All RSA
public keys with
modulus lengths other
than 2048 or 4096, and</div>
<div>> - All RSA
public keys with
exponents other than
65537, and</div>
<div><br>
</div>
<div>Hi Jacob. 65537
(aka 0x10001) is
hard-coded here...</div>
<div><span style="background-color:rgb(255,255,255);
display:inline!important"><br>
</span></div>
<div><span style="background-color:rgb(255,255,255);
display:inline!important"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2FOpenSSL_0_9_8f%2Fapps%2Freq.c%23L768&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217174300%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4cbYj85QRS4EJCOa3h%2FUeQolfCDnwt%2Bvu4fOrixIK10%3D&reserved=0" originalsrc="https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768" shash="SQ0j9lYNa6pwAvo9wD4DNptKtTNgMfO9L/VJzl1urDXIlkf2vpYJ0p2sea74JPaduecP2Jr9Sl2prZFIa2D6OBHmD1EXAva721I9yK5iYnIy0N33Mil+/4sCnR3L5jmTcjQ11MYbDMJG0tggw5vH9M2y04pCCyOAxpiZO2aqtug=" moz-do-not-send="true">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</a><br>
</span></div>
<div><br>
</div>
<div>Would it therefore
be fair to say that
keys with public
exponents other than
65537 are implicitly
<u>not</u> Debian weak
keys?</div>
<div><br>
</div>
> - All RSA public
keys that are detected
as vulnerable by the
openssl-vulnkey program
in the openssl-blacklist
package version 0.5-3
(see addendum), or an
equivalent program."</div>
</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt;
color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block;
width:98%">
<div id="x_x_x_x_x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri,
sans-serif" color="#000000"><b>From:</b>
Servercert-wg
<a class="x_x_x_x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org" moz-do-not-send="true">
<servercert-wg-bounces@cabforum.org></a> on behalf of Jacob
Hoffman-Andrews via
Servercert-wg
<a class="x_x_x_x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true">
<servercert-wg@cabforum.org></a><br>
<b>Sent:</b> 12
December 2020 02:21<br>
<b>To:</b> Christopher
Kemmerer <a class="x_x_x_x_x_moz-txt-link-rfc2396E" href="mailto:chris@ssl.com" moz-do-not-send="true">
<chris@ssl.com></a>; CA/B Forum Server Certificate WG Public
Discussion List <a class="x_x_x_x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true">
<servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX
Ballot proposal:
Debian Weak keys</font>
<div> </div>
</div>
<div>
<div style="background-color:#FAFA03;
width:100%;
border-style:solid;
border-color:#000000;
border-width:1pt;
padding:2pt;
font-size:10pt;
line-height:12pt;
font-family:'Calibri';
color:Black;
text-align:left">
<span style="color:000000">CAUTION:</span>
This email originated
from outside of the
organization. Do not
click links or open
attachments unless you
recognize the sender
and know the content
is safe.</div>
<br>
<div>
<div dir="ltr">Thanks
for your continued
efforts to improve
this part of the
BRs! Let's Encrypt
is in theory
interested in
endorsing, but I
think it still needs
a bit of work.
Thanks for
incorporating my
most recent comments
on endianness and
word size vs 11
platforms.<br>
<br>
Goals: We want CAs
to consistently not
issue certificates
for weak keys in
general, and also in
the specific case of
Debian and ROCA
keys. We want the
definition of Debian
and ROCA keys to be
clear and actionable
for as long as
possible - say, at
least twenty years.<br>
<br>
We have three ways
to specify Debian
and ROCA keys: With
a list, with a tool,
or with an
algorithm*. The
original revision of
this ballot proposed
to use a list (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2020-April%2F001821.html&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217184247%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7Ty5ye8OuF1cEUf%2BDVK8BqWCoQixa%2BLEQXKPGgq8LqE%3D&reserved=0" originalsrc="https://lists.cabforum.org/pipermail/servercert-wg/2020-April/001821.html" shash="DZygvOcZWCAz+hhgPgJKfkjbAQslu0C9O3r+IRvxxjfqQeJqrmHBMqIhdGxyRML9IuTr0jfhTzAcEUxDaFK4ZNAtqNL5K0JnUeraY8kVjONGbYW4o89RhGeppv5XBpXBJ9aRt5aa0BlCItpF3fKqZEdPymZwYlp1xHYTW0m30xU=" moz-do-not-send="true">https://lists.cabforum.org/pipermail/servercert-wg/2020-April/001821.html</a>).
There were two
objections:<br>
<br>
- The list
(openssl-blacklist)
is subject to change
or removal.<br>
- The list only
covers 2048 and 4096
bit keys.<br>
<br>
The current draft
proposes specifying
a tool for ROCA (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217184247%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lYRVn%2BlfCxc%2FBEY73QKiH0hQYOVDUDNqJwvWg02TxRg%3D&reserved=0" originalsrc="https://github.com/crocs-muni/roca" shash="IwwY81cPQ1cmDkhCQQihh+QuzrJeHAZ61PY+gvXpxslJC1IgGpCGMu+5LFznmh1uoNeu7HPPYFYAJrBw0TVaF6OmkzOODCH/GDe7qFjGWzPrSnzHPROnlE71pn5WvwqKf9byK1UsQHBBnleTthJeOJ7+C6K8dWc+0KZMrZVOn5A=" moz-do-not-send="true">https://github.com/crocs-muni/roca</a>) and an
algorithm for Debian
keys.<br>
<br>
The ROCA tool is
subject to change or
removal, just like
the
openssl-blacklist
package. I propose
we instead specify
ROCA detection in
terms of the paper (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrocs.fi.muni.cz%2Fpublic%2Fpapers%2Frsa_ccs17&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217194202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WOygxUjpjBXpHmDwEa5FlrzVOQ%2BGVtuzCvIaYLcVzZs%3D&reserved=0" originalsrc="https://crocs.fi.muni.cz/public/papers/rsa_ccs17" shash="B+W21Hs8IPHcdbtzqCgY0wvHvBBheK5JdSrXudflMJg8vRIoqKuPJ00V+8Wrsf3m3HSxG9Zr6XFDJjOOclPaoBrLgsIdG88bNaoV4DQ10MXOaFArcHCWJZIBSbQjtHB/QMEqeDSDHsnRNr1J/2jAknfo7pCKShDbdjEhCTQGccY=" moz-do-not-send="true">https://crocs.fi.muni.cz/public/papers/rsa_ccs17</a>)
and ask for
permission from the
authors to archive
an unchanging copy
as an addendum to
the BRs.<br>
<br>
For Debian keys,
what looks like an
algorithm
specification is
actually a tool +
algorithm
specification. The
tool is "OpenSSL
0.9.8c-1 up to
versions before
0.9.8g-9 on
Debian-based
operating systems"
(per CVE-2008-01666
-
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2008-0166&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217204157%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=k8TzKB9yaN9M3szAvvYKFwb7SWaAIZtmbh6kTDpRUWI%3D&reserved=0" originalsrc="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0166" shash="h8ZAKpA5ZLFKCda9SRRYwjnaJcfoxV2jlKb9p8l2vhjCbIjv49QIUzX3wgX9WSWMNa/OajK6LwhMglt2I5uRSuyE5x5nIgbQizCpkHJVLrIg9TBM5NW/NbNKnb252DHRedyfNa7qtVbuShCqFjmIoEQQgI6x793nI6SmjxewexI=" moz-do-not-send="true">
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0166</a>). To ensure
an unchanging copy
of that, we should
archive 3 copies of
Debian, for the 3
word size +
endianness
combinations.<br>
<br>
The algorithm also
needs an additional
line: "v) using the
command 'openssl req
-nodes -subj /
-newkey
rsa:<Public Key
length>'"
(adapted from
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsources.debian.org%2Fdata%2Fmain%2Fo%2Fopenssl-blacklist%2F0.5-3%2Fexamples%2Fgen_certs.sh&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217204157%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=mJbnosdyxAHvzj1zOAcJ7ippJu6sDDNl5fNfg0nEi98%3D&reserved=0" originalsrc="https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/examples/gen_certs.sh" shash="KsQEuFjQKijHLJqOC5wdtHiF6MHSUeUIZ/MC0wiHjTbotqXrRpQ0+O92SoF8kkjQkr/Pu/K791rlbZ7J8Dj/gejP4VQmz9g3hxOyjMQY+zPKpyJh70E6P5WqLDrtp+8SVi7AY3Dx94/cIQXRIDI7TssT/PvoiHzP4Nt2dHNK78c=" moz-do-not-send="true">
https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/examples/gen_certs.sh</a>).
Other tools that
linked OpenSSL, like
openvpn and openssh,
generated different
sets of keys. We can
include or exclude
openvpn and openssh
keys, but should
thoroughly specify.<br>
<br>
Lastly, I think we
should archive
openssl-blacklist,
and include in the
BRs: "A CA may
reject the full set
of Debian weak keys
by rejecting this
superset of the
Debian weak keys:<br>
<br>
- All RSA public
keys with modulus
lengths other than
2048 or 4096, and<br>
- All RSA public
keys with exponents
other than 65537,
and<br>
- All RSA public
keys that are
detected as
vulnerable by the
openssl-vulnkey
program in the
openssl-blacklist
package version
0.5-3 (see
addendum), or an
equivalent program."<br>
<br>
My reasoning: Given
the difficulty of
correctly setting up
old Debian versions
and generating weak
keys for sizes that
are not part of
openssl-blacklist, I
expect most CAs will
choose this path.
Given that, we
should just say what
we mean: the
pregenerated list is
fine if you restrict
key sizes, but you
don't *have* to
restrict key sizes,
so long as you have
an alternate method
to ensure you're not
issuing for Debian
weak keys at other
sizes.<br>
<br>
*I'm considering
specifying an
algorithm to be
functionally
equivalent to
specifying an
"outcome," though I
recognize this may
be too hand-wavy.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="x_x_x_x_x_mimeAttachmentHeader"></fieldset>
<pre class="x_x_x_x_x_moz-quote-pre">_______________________________________________
Servercert-wg mailing list
<a class="x_x_x_x_x_moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Servercert-wg@cabforum.org" moz-do-not-send="true">Servercert-wg@cabforum.org</a>
<a class="x_x_x_x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=04%7C01%7Crob%40sectigo.com%7C149793a77768442bd12008d97ebe5652%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637680178217214120%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6xVg5WENHqAmHV5%2B0vMsLYGqlVkQ3pR92qrJe9G9gag%3D&reserved=0" originalsrc="https://lists.cabforum.org/mailman/listinfo/servercert-wg" shash="Uhdm1pBuw0uhSdFwIW7U6nJjDqcVXT8/tmK4NbASN05tY/TFWJpSWY/t+IZU9MK6gxOeeWqlRyc3Ex6hOaZr55dqDcIDRycGoacJy2tduWXRGwUosoKaMWdIlxgE8ur6Zr+Cf97JqNd8Abl6DFZNw7KgVxoWWfEUXLAneULcVE4=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</body>
</html>