<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
> ...my opinion is that we should introduce a new requirement such that CAs must check for Debian weak keys for all RSA modulus lengths and exponents that they accept. CAs are uniquely positioned to prevent the usage of these weak keys in the web PKI, so there
is a security benefit in mandating such universal checks.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi Corey. Yeah, OK. You've persuaded me.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>FWIW, my tools at <a href="https://github.com/CVE-2008-0166">https://github.com/CVE-2008-0166</a> only support 65537 at the moment. I guess I'll just have to wait and see if anyone asks for other public exponent values to be supported.
<span id="🙂">🙂</span></span></div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0);">
<br>
<hr tabindex="-1" style="display:inline-block; width:98%;">
<b>From:</b> Corey Bonnell<br>
<b>Sent:</b> Tuesday, October 19, 2021 19:48<br>
<b>To:</b> Rob Stradling; Christopher Kemmerer; CA/B Forum Server Certificate WG Public Discussion List<br>
<b>Subject:</b> RE: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys
<div><br>
</div>
</div>
<div class="rps_666c">
<div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="x_WordSection1">
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Hi Rob,</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Comments inline.</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
> <span style="font-size:12.0pt; color:black">AFAICT, in the affected Debian OpenSSL versions:</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> - "openssl req -newkey" had a hardcoded public exponent of 65537 (see </span><a href="https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</span></a><span style="font-size:12.0pt; color:black">).</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> - "openssl genrsa" defaulted to 65537, but provided a "-3" command-line option to use a public exponent of 3 instead (see </span><a href="https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c</span></a><span style="font-size:12.0pt; color:black">).</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
As you point out, the command-line tooling bundled with OpenSSL 0,9.8 generally restricted the allowed exponent. However, the RSA key generation API allowed any exponent to be specified [1], so it is possible that a custom application passed exponent values
besides 3 or 65537 to the RSA key generation function.</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
> <span style="font-size:12.0pt; color:black">Are there any good reasons to continue to permit the public exponent 3 ?
</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Judging from Censys, it appears that there are some publicly trusted certificates containing RSA keys with an exponent of 3, so there will presumably be a (minor) ecosystem impact if an exponent value of 3 were banned. That being said, exponents smaller than
65537 are outside the SHOULD-level exponent range since BR v1.1.3 (now in section 6.1.6) so perhaps it’s time to consider strengthening the SHOULD to a MUST. Probably such a change would be outside the scope of this ballot, though.</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
> <span style="font-size:12.0pt; color:black">The "openssl-vulnkey" tool that Debian used to ship only provided blocklists for keys with public exponents of 65537, so should we take that as a sign that CAs needn't perform a Debian weak key check when the public
exponent is anything other than 65537 ?</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
While the precedent set by accepted remediations for incidents surrounding Debian weak keys has been for CAs to check the lists distributed in the openssl-blacklist Debian package, my opinion is that we should introduce a new requirement such that CAs must
check for Debian weak keys for all RSA modulus lengths and exponents that they accept. CAs are uniquely positioned to prevent the usage of these weak keys in the web PKI, so there is a security benefit in mandating such universal checks.</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Thanks,</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Corey</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
[1] <a href="https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/crypto/rsa/rsa_gen.c#L78" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">
https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/crypto/rsa/rsa_gen.c#L78</a></p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<b>From:</b> Rob Stradling <rob@sectigo.com> <br>
<b>Sent:</b> Tuesday, October 19, 2021 11:31 AM<br>
<b>To:</b> Christopher Kemmerer <chris@ssl.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org>; Corey Bonnell <Corey.Bonnell@digicert.com><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">Hi Corey.</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">AFAICT, in the affected Debian OpenSSL versions:</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> - "openssl req -newkey" had a hardcoded public exponent of 65537 (see </span><a href="https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</span></a><span style="font-size:12.0pt; color:black">).</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> - "openssl genrsa" defaulted to 65537, but provided a "-3" command-line option to use a public exponent of 3 instead (see </span><a href="https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c</span></a><span style="font-size:12.0pt; color:black">).</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">Are there any good reasons to continue to permit the public exponent 3 ?
</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">The "openssl-vulnkey" tool that Debian used to ship only provided blocklists for keys with public exponents of 65537, so should we take that as a sign that CAs needn't perform a Debian weak key check when the public
exponent is anything other than 65537 ?</span></p>
</div>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_divRplyFwdMsg">
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<b><span style="color:black">From:</span></b><span style="color:black"> Servercert-wg <</span><a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">servercert-wg-bounces@cabforum.org</a><span style="color:black">>
on behalf of Corey Bonnell via Servercert-wg <</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">servercert-wg@cabforum.org</a><span style="color:black">><br>
<b>Sent:</b> 19 October 2021 15:31<br>
<b>To:</b> Christopher Kemmerer <</span><a href="mailto:chris@ssl.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">chris@ssl.com</a><span style="color:black">>; CA/B Forum Server Certificate WG Public Discussion List <</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">servercert-wg@cabforum.org</a><span style="color:black">><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</span>
</p>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
</div>
</div>
<div>
<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;line-height:12.0pt; background:#FAFA03">
<span style="font-size:10.0pt; color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span></p>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Hi Chris,</p>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Apologies for the late reply. I noticed that the current proposed language has no guidance regarding RSA exponents. I think it would be useful to specify the expectations in this regard (whether the CA must check for weak keys for all key lengths and exponent
combinations accepted/supported by the CA, or if checking weak key lists for only exponents 3 and 65537 is sufficient, etc.).</p>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Thanks,</p>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Corey</p>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<b>From:</b> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Christopher Kemmerer via Servercert-wg<br>
<b>Sent:</b> Friday, October 15, 2021 10:33 AM<br>
<b>To:</b> Rob Stradling <<a href="mailto:rob@sectigo.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">rob@sectigo.com</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">dzacharo@harica.gr</a>>;
CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">servercert-wg@cabforum.org</a>>; Jacob Hoffman-Andrews <<a href="mailto:jsha@letsencrypt.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">jsha@letsencrypt.org</a>><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</p>
</div>
</div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p style="margin-bottom:12.0pt">Thank you, Rob, and shall watch for that update. Meanwhile we are doing a final-final pass through our draft language for clarity and will send it early next week.</p>
<p style="margin-bottom:12.0pt">Chris K<br>
<br>
Meanwhile, we've cycled our draft language through another review and have made IIRC only one or two minor edits for clarity (h/t BenW).</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
On 10/14/2021 9:49 AM, Rob Stradling wrote:</p>
</div>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">Today I rediscovered that I'd previously generated the RSA-8192 blocklists back in December 2009, and that they're still available at
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecure.sectigo.com%2Fdebian_weak_keys%2F&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987811664%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=BknvgeWEnZ4pvV0PZHrsqaYgYgzgs4wad1Y3lmy1FWk%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://secure.sectigo.com/debian_weak_keys/</span></a><span style="font-size:12.0pt; color:black">.
When I compared the old and new RSA-8192 blocklists, I found that ~0.8% of the "rnd" keys are different. It looks like, for reasons unknown, the "OpenSSL random file state" misbehaved occasionally over the 8 month run that ended recently.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">I'll report back once I've regenerated and verified the problematic keys.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_x_divRplyFwdMsg">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<b><span style="color:black">From:</span></b><span style="color:black"> Rob Stradling
</span><a href="mailto:rob@sectigo.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><rob@sectigo.com></a><span style="color:black"><br>
<b>Sent:</b> 23 September 2021 19:17<br>
<b>To:</b> Christopher Kemmerer </span><a href="mailto:chris@ssl.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><chris@ssl.com></a><span style="color:black">; Dimitris Zacharopoulos (HARICA)
</span><a href="mailto:dzacharo@harica.gr" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><dzacharo@harica.gr></a><span style="color:black">; CA/B Forum Server Certificate WG Public Discussion List
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black">; Jacob Hoffman-Andrews
</span><a href="mailto:jsha@letsencrypt.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><jsha@letsencrypt.org></a><span style="color:black">; Rob Stradling
</span><a href="mailto:rob@sectigo.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><rob@sectigo.com></a><span style="color:black"><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</span>
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
</div>
</div>
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">> BTW, in case it helps, I'm about half way through generating a full set of RSA-8192 Debian weak keys, which (when complete) I'll add to the
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987811664%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=hEYtpXP81bOYFl0bdDSzbg8zxn7gozJ2bXAzE3ZPLwQ%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166</span></a><span style="font-size:12.0pt; color:black">
repositories.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">It took nearly 8 months (using just a single core of a fairly modest CPU), but it finally finished! Repositories updated.</span></p>
</div>
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_x_x_divRplyFwdMsg">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<b><span style="color:black">From:</span></b><span style="color:black"> Servercert-wg
</span><a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg-bounces@cabforum.org></a><span style="color:black"> on behalf of Rob Stradling via Servercert-wg
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black"><br>
<b>Sent:</b> 13 May 2021 15:42<br>
<b>To:</b> Christopher Kemmerer </span><a href="mailto:chris@ssl.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><chris@ssl.com></a><span style="color:black">; Dimitris Zacharopoulos (HARICA)
</span><a href="mailto:dzacharo@harica.gr" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><dzacharo@harica.gr></a><span style="color:black">; CA/B Forum Server Certificate WG Public Discussion List
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black">; Jacob Hoffman-Andrews
</span><a href="mailto:jsha@letsencrypt.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><jsha@letsencrypt.org></a><span style="color:black"><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</span>
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
</div>
</div>
<div>
<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;line-height:12.0pt; background:#FAFA03">
<span style="font-size:10.0pt; color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span></p>
</div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">> iii) All RSA Public Key lengths supported by the CA up to and including 4096 bits;</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">> ...</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">> For Debian weak keys not covered above, the CA SHALL take actions to minimize the probability of certificate issuance.
</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">Hi Christopher. What sort of "actions" are envisaged here? If a CA is processing a certificate request that contains a (for example) RSA-4088 public key (i.e., a key size not covered by an available Debian weak
list), either the CA is going to issue the cert or they're not. What, concretely, does "minimize the probability of certificate issuance" actually mean?</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">Why not remove that "SHALL" sentence and change point iii to: "<span style="background:white">iii) All RSA Public Key lengths supported by the CA." ?</span></span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">BTW, in case it helps, I'm about half way through generating a full set of RSA-8192 Debian weak keys, which (when complete) I'll add to the
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987821618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=34YXT3egxh7Xtc5k5gqy8idcbz9cgokAIz7o8Xwbh94%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166</span></a><span style="font-size:12.0pt; color:black"> repositories.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_x_x_x_divRplyFwdMsg">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<b><span style="color:black">From:</span></b><span style="color:black"> Christopher Kemmerer
</span><a href="mailto:chris@ssl.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><chris@ssl.com></a><span style="color:black"><br>
<b>Sent:</b> 13 May 2021 15:12<br>
<b>To:</b> Rob Stradling </span><a href="mailto:rob@sectigo.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><rob@sectigo.com></a><span style="color:black">; Dimitris Zacharopoulos (HARICA)
</span><a href="mailto:dzacharo@harica.gr" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><dzacharo@harica.gr></a><span style="color:black">; CA/B Forum Server Certificate WG Public Discussion List
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black">; Jacob Hoffman-Andrews
</span><a href="mailto:jsha@letsencrypt.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><jsha@letsencrypt.org></a><span style="color:black"><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</span>
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
</div>
</div>
<div>
<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;line-height:12.0pt; background:#FAFA03">
<span style="font-size:10.0pt; color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span></p>
</div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-bottom:12.0pt; vertical-align:baseline">
<span class="x_xxxxnormaltextrun">Hello,</span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-bottom:12.0pt; vertical-align:baseline">
<span class="x_xxxxnormaltextrun">We deeply appreciate the useful discussion in this thread regarding this issue. We especially applaud the efforts of HARICA and Sectigo to independently generate more comprehensive lists of potentially affected Debian weak
keys. As Rob Stradling observed through his crt.sh research (20210107, </span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frobstradling%2Fa5590b6a13218fe561dcb5d5c67932c5&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987821618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=QXz4cOmARv%2Fg8%2FJF2NNEW2%2BSbjHJu1pv8X6vjLCx7io%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a><span class="x_xxxxnormaltextrun">)
of the five most utilized algorithm/key size populations, two are ECC (so not impacted by the Debian weak key issue) and three are RSA (2048, 4096, and 3072 bit length, in that order).</span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-bottom:12.0pt; vertical-align:baseline">
<span class="x_xxxxnormaltextrun">As of their most recent messages it appears that these two organizations have independently generated comprehensive lists identifying all RSA-2048 and -4096 bit length keys. (We understand RSA-3072 length keys are also available.)
This offers the possibility that complete lists, if accepted as authoritative, could be accessed by the community to help prevent exploitation of this vulnerability.</span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-bottom:12.0pt; vertical-align:baseline">
<span class="x_xxxxnormaltextrun">It was also noted (by the representative from Let's Encrypt) that the ROCA vulnerability is presently identified through use of a tool supported externally. It was suggested that this resource be archived in a manner that ensures
availability. (Our proposed language points to "</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2F&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987831575%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ZQMlATqs%2BM7Vr3aIgjdrH06gaOrkgAPTbMkM4gcSROs%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://github.com/crocs-muni/</a><span class="x_xxxxnormaltextrun">roca
or equivalent.")</span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-bottom:12.0pt; vertical-align:baseline">
<span class="x_xxxxnormaltextrun">We think our present ballot language (reproduced at the end of this message) provides appropriately focused guidance to CAs. If available, we'd certainly like to also see the HARICA/Sectigo lists (which CAs could use for the
majority of Debian weak key use cases) captured somewhere in this ballot language. We are agnostic as to 1) where exactly these resources might be maintained and 2) where this ballot places directions to these resources - an annex to the current requirements,
a separate CA/BF guidance document or within Sections 4.9.1.1/6.1.1.3.</span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-bottom:12.0pt; vertical-align:baseline">
<span class="x_xxxxnormaltextrun">Our intent is to ensure that 1) clear, accurate guidance on CA expectations is provided and 2) any resources assisting CAs in meeting these expectations are fully described, publicly available (somewhere) and with reliable
links provided. The language below, we feel, meets the first requirement. We'd appreciate input on how to best meet the second. (Note that SSL.com would be happy to support the community by hosting any of these as publicly accessible resources, whether solo
or alongside other organizations.)</span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">Chris K</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-bottom:12.0pt; vertical-align:baseline">
<span class="x_xxxxnormaltextrun">SSL.com</span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">=====</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">--- Motion Begins ---</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.7.4:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">Proposed ballot language:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun"><b>4.9.1.1 Reasons for Revoking a Subscriber Certificate</b></span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">Replace:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">4. The CA is made aware of a demonstrated or proven method that can easily compute the Subscriber’s Private Key based on the Public Key in the Certificate (such as a Debian weak key, see
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987831575%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=pXeTXYoS8oYMQteThIRSdhISQokGG4nL%2BHSymGxAwPg%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://wiki.debian.org/SSLkeys</a><span class="x_xxxxnormaltextrun">)</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">With:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">4. The CA is made aware of a demonstrated or proven method that can easily compute the Subscriber’s Private Key (such as those identified in 6.1.1.3(4)).</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">---</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun"><b>6.1.1.3. Subscriber Key Pair Generation</b></span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">Replace:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">The CA SHALL reject a certificate request if one or more of the following conditions are met:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">1. The Key Pair does not meet the requirements set forth in Section 6.1.5 and/or Section 6.1.6;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">2. There is clear evidence that the specific method used to generate the Private Key was flawed;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">3. The CA is aware of a demonstrated or proven method that exposes the Applicant's Private Key to compromise;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">4. The CA has previously been made aware that the Applicant's Private Key has suffered a Key Compromise, such as through the provisions of Section 4.9.1.1;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">5. The CA is aware of a demonstrated or proven method to easily compute the Applicant's Private Key based on the Public Key (such as a Debian weak key, see
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987831575%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=pXeTXYoS8oYMQteThIRSdhISQokGG4nL%2BHSymGxAwPg%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://wiki.debian.org/SSLkeys</a><span class="x_xxxxnormaltextrun">).</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">With:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">The CA SHALL reject a certificate request if one or more of the following occurs:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">1) The requested Public Key does not meet the requirements set forth in Sections 6.1.5 and/or 6.1.6;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">2) The CA is aware of a demonstrated or proven method that exposes the Subscriber's Private Key to compromise;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">3) The CA has previously been made aware that the Subscriber's Private Key has suffered a Key Compromise, such as through the provisions of Section 4.9.1.1;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">4) The Public Key corresponds to an industry demonstrated weak Private Key, in particular:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">a) In the case of ROCA vulnerability, the CA SHALL reject keys identified by the tools available at
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987841531%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=pVWa4%2Fu9mO6gfEAN2FHOMx83i%2FGSUcG%2BfzyDoHm1xKs%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://github.com/crocs-muni/roca</a><span class="x_xxxxnormaltextrun">
or equivalent.</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">b) In the case of Debian weak keys (</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987841531%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=fJSWwzvoeepBzwSexsg%2FFSKZKusdynxlt%2F1gItUiii0%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://wiki.debian.org/SSLkeys</a><span class="x_xxxxnormaltextrun">),
the CA SHALL reject at least keys generated by the flawed OpenSSL version with the combination of the following parameters:</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">i) Big-endian 32-bit, little-endian 32-bit, and little-endian 64-bit architecture;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">ii) Process ID of 0 to 32767, inclusive;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">iii) All RSA Public Key lengths supported by the CA up to and including 4096 bits;</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">iv) rnd, nornd, and noreadrnd OpenSSL random file state.</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">For Debian weak keys not covered above, the CA SHALL take actions to minimize the probability of certificate issuance.</span><span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxeop"> </span></p>
</div>
<div>
<p class="x_xxxxparagraph" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;vertical-align:baseline">
<span class="x_xxxxnormaltextrun">--- Motion Ends ---</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
On 1/18/2021 3:34 PM, Rob Stradling wrote:</p>
</div>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">> I'm mid-way through generating the RSA-4096 keys.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">The RSA-4096 private keys and blocklists are now in
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987851488%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=t2XnHbMAXRIJHGzz%2BLi4gptSfi957l%2Fkz5fcaUc4PxA%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/private_keys</span></a><span style="font-size:12.0pt; color:black"> and
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fopenssl_blocklists&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987851488%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2B%2Fmznq3F0GbWZjrE1G08DqSXBOxYTLtIF1l7pLatjoU%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/openssl_blocklists</span></a><span style="font-size:12.0pt; color:black">.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">The RSA-2048 and RSA-4096 private keys in </span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHARICA-official%2Fdebian-weak-keys&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987861437%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Fb5kG1Ob413KX19BP%2B37xpIahSiKi2FIZ5NfuZ%2FkuPU%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/HARICA-official/debian-weak-keys</span></a><span style="font-size:12.0pt; color:black"> (which
only covers 2 of the 3 word size / endianness combinations) are identical to the equivalents in </span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987861437%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=oDDkulWGG70BklQLLMR0GsX%2FRIy20y%2FKtw9gGijGyhE%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/private_keys</span></a><span style="font-size:12.0pt; color:black">.</span></p>
</div>
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_x_x_x_x_divRplyFwdMsg">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<b><span style="color:black">From:</span></b><span style="color:black"> Dimitris Zacharopoulos (HARICA)
</span><a href="mailto:dzacharo@harica.gr" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><dzacharo@harica.gr></a><span style="color:black"><br>
<b>Sent:</b> 14 January 2021 18:39<br>
<b>To:</b> Rob Stradling </span><a href="mailto:rob@sectigo.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><rob@sectigo.com></a><span style="color:black">; CA/B Forum Server Certificate WG Public Discussion List
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black">; Jacob Hoffman-Andrews
</span><a href="mailto:jsha@letsencrypt.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><jsha@letsencrypt.org></a><span style="color:black">; Christopher Kemmerer
</span><a href="mailto:chris@ssl.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><chris@ssl.com></a><span style="color:black"><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</span>
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
</div>
</div>
<div>
<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;line-height:12.0pt; background:#FAFA03">
<span style="font-size:10.0pt; color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span></p>
</div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
On 14/1/2021 12:30 π.μ., Rob Stradling wrote:</p>
</div>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">Thanks Dmitris.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">So far I've generated the RSA-2048 and RSA-3072 keys using
</span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fkey_generator&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987871399%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4kKGwenlWGRmGjkIWofWWWnykgyNAgmJj1knMJ9PFz4%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/key_generator</span></a><span style="font-size:12.0pt; color:black"> and
uploaded them to </span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987871399%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=DS2Fb707J%2BWD3UlBsOMtUWBl%2B5JkoU3S9twMJn8eSps%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/private_keys</span></a><span style="font-size:12.0pt; color:black">,
and I've generated the corresponding blocklists and uploaded them to </span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fopenssl_blocklists&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987871399%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=JtYLdAD8pwpvivoIfMXAeEjofoK0FqoijWEb4Sc9OV4%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/openssl_blocklists</span></a><span style="font-size:12.0pt; color:black">.
My RSA-2048 blocklists exactly match the ones from the original Debian openssl-blacklist package.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">I'm mid-way through generating the RSA-4096 keys.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">Let's compare keys when we're both done.
</span><span style="font-size:12.0pt; font-family:"Segoe UI Emoji",sans-serif; color:black">🙂</span></p>
</div>
</blockquote>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<br>
Certainly :-) the RSA-2048 keys already match the fingerprints from the openssl-blacklist Debian package.<br>
<br>
We did this work several months ago but never found the time to make it publicly available. We managed to break down the big task and run jobs in parallel which made things a bit more interesting.<br>
<br>
It's nice we did this independently, I guess it increases the accuracy level of the resulted keys :)<br>
<br>
<br>
Cheers,<br>
Dimitris.<br>
<br>
</p>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_x_x_x_x_x_divRplyFwdMsg">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
<b><span style="color:black">From:</span></b><span style="color:black"> Dimitris Zacharopoulos (HARICA)
</span><a href="mailto:dzacharo@harica.gr" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><dzacharo@harica.gr></a><span style="color:black"><br>
<b>Sent:</b> 13 January 2021 21:49<br>
<b>To:</b> Rob Stradling </span><a href="mailto:rob@sectigo.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><rob@sectigo.com></a><span style="color:black">; CA/B Forum Server Certificate WG Public Discussion List
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black">; Jacob Hoffman-Andrews
</span><a href="mailto:jsha@letsencrypt.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><jsha@letsencrypt.org></a><span style="color:black">; Christopher Kemmerer
</span><a href="mailto:chris@ssl.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><chris@ssl.com></a><span style="color:black"><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</span>
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
</div>
</div>
<div>
<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;line-height:12.0pt; background:#FAFA03">
<span style="font-size:10.0pt; color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span></p>
</div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">
Dear friends,<br>
<br>
HARICA has generated the weak keys (RSA 2048 and 4096 bit lengths) from the vulnerable openssl package. We will generate 3072 bit keys as well and add them soon. The methodology is described in the following GitHub repo along with the produced keys:</p>
<ul type="disc" style="margin-bottom: 0in;margin-top:0in">
<li class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-top:0in; margin-bottom:0in">
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHARICA-official%2Fdebian-weak-keys&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987881346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=61WsoKxsDa5%2FjBab75Y%2FZG4PbcoE3RVkCWg%2BsfY2Aww%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://github.com/HARICA-official/debian-weak-keys</a></li></ul>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-right:0in; margin-bottom:12.0pt; margin-left:0in">
Please review and let us know if you spot any issues or problems with our approach and methodology.<br>
<br>
As always, please use other people's work at your own risk.<br>
<br>
<br>
Dimitris.</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
On 7/1/2021 2:25 ÎĽ.ÎĽ., Rob Stradling via Servercert-wg wrote:</p>
</div>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">I've used crt.sh to produce a survey of key algorithms/sizes in currently unexpired, publicly-trusted server certificates:</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frobstradling%2Fa5590b6a13218fe561dcb5d5c67932c5&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987881346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4qveGxYahVQ6FbihVosw69bsGUs7hG1ytgI6YLxqYbY%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</span></a></p>
</div>
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">The four most popular choices are no surprise: RSA-2048, P-256, RSA-4096, and P-384. openssl-blacklist covers RSA-2048 and RSA-4096, and ECC keys are implicitly not Debian weak keys.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">Fifth most popular is RSA-3072, with over 3 million unexpired, publicly-trusted server certs. openssl-blacklist doesn't cover RSA-3072, but ISTM that this is a key size that CAs will want to permit.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">Some of the lesser used key sizes are mostly likely due to Subscriber typos (e.g., 2408 and 3048 were probably intended to be 2048, 4048 was probably intended to be either 2048 or 4096, etc), but some of the other
ones look like they were deliberately chosen (e.g., 2432 is 2048+384). Is it worth generating Debian weak keys/blocklists for any of these key sizes?</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FSpecialPublications%2FNIST.SP.800-57pt1r5.pdf&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987891313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=rG1bgcAgL7P3RtCaCJ0cZTcYPkcUhTlsR4J6ulGFgso%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf</span></a><span style="font-size:12.0pt; color:black"> (Table
4, p59) permits RSA-2048 until the end of 2030, whereas </span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sogis.eu%2Fdocuments%2Fcc%2Fcrypto%2FSOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987891313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=gCbutfTj362g%2BHqbrbYgcpm5etqbhCvUFpp8E2UYinE%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt">https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pd
f</span></a><span style="font-size:12.0pt; color:black"> permits RSA-2048 only until the end of 2025. It is of course possible that quantum computing will render RSA obsolete before Subscribers need to think about which larger RSA keysize they want to migrate
to; however, it seems prudent to also plan for the possibility that RSA will survive and that some other RSA keysize(s) might become popular.</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_x_x_x_x_x_x_divRplyFwdMsg">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<b><span style="color:black">From:</span></b><span style="color:black"> Servercert-wg
</span><a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg-bounces@cabforum.org></a><span style="color:black"> on behalf of Rob Stradling via Servercert-wg
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black"><br>
<b>Sent:</b> 06 January 2021 16:08<br>
<b>To:</b> Jacob Hoffman-Andrews </span><a href="mailto:jsha@letsencrypt.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><jsha@letsencrypt.org></a><span style="color:black">; Christopher Kemmerer
</span><a href="mailto:chris@ssl.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><chris@ssl.com></a><span style="color:black">; CA/B Forum Server Certificate WG Public Discussion List
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black"><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</span>
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
</p>
</div>
</div>
<div>
<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in; line-height:12.0pt; background:#FAFA03">
<span style="font-size:10.0pt; color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span></p>
</div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
</p>
<div>
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">Jacob wrote:</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">> Lastly, I think we should archive openssl-blacklist, and include in the BRs: "A CA may reject the full set of Debian weak keys by rejecting this superset of the Debian weak keys:</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">> </span></p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">> - All RSA public keys with modulus lengths other than 2048 or 4096, and</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">> - All RSA public keys with exponents other than 65537, and</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">Hi Jacob. 65537 (aka 0x10001) is hard-coded here...</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-right:0in; margin-bottom:12.0pt; margin-left:0in">
</p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-right:0in; margin-bottom:12.0pt; margin-left:0in">
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2FOpenSSL_0_9_8f%2Fapps%2Freq.c%23L768&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987901266%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=MjzoFnz2Q1%2FymsUTPaNkRR0zmeC0jZEVY%2Bbs22FkiQs%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><span style="font-size:12.0pt; background:white">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</span></a></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">Would it therefore be fair to say that keys with public exponents other than 65537 are implicitly
<u>not</u> Debian weak keys?</span></p>
</div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black">> - All RSA public keys that are detected as vulnerable by the openssl-vulnkey program in the openssl-blacklist package version 0.5-3 (see addendum), or an equivalent program."</span></p>
</div>
</div>
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_x_x_x_x_x_x_x_divRplyFwdMsg">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
<b><span style="color:black">From:</span></b><span style="color:black"> Servercert-wg
</span><a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg-bounces@cabforum.org></a><span style="color:black"> on behalf of Jacob Hoffman-Andrews via Servercert-wg
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black"><br>
<b>Sent:</b> 12 December 2020 02:21<br>
<b>To:</b> Christopher Kemmerer </span><a href="mailto:chris@ssl.com" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><chris@ssl.com></a><span style="color:black">; CA/B Forum Server Certificate WG Public Discussion List
</span><a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable"><servercert-wg@cabforum.org></a><span style="color:black"><br>
<b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys</span>
</p>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
</p>
</div>
</div>
<div>
<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in; line-height:12.0pt; background:#FAFA03">
<span style="font-size:10.0pt; color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span></p>
</div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
</p>
<div>
<div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
Thanks for your continued efforts to improve this part of the BRs! Let's Encrypt is in theory interested in endorsing, but I think it still needs a bit of work. Thanks for incorporating my most recent comments on endianness and word size vs 11 platforms.<br>
<br>
Goals: We want CAs to consistently not issue certificates for weak keys in general, and also in the specific case of Debian and ROCA keys. We want the definition of Debian and ROCA keys to be clear and actionable for as long as possible - say, at least twenty
years.<br>
<br>
We have three ways to specify Debian and ROCA keys: With a list, with a tool, or with an algorithm*. The original revision of this ballot proposed to use a list (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2020-April%2F001821.html&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987901266%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=cpLY6xrC2ygCfIc1C4qGSWoC6YokanwBtNV3rRKfHjI%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://lists.cabforum.org/pipermail/servercert-wg/2020-April/001821.html</a>).
There were two objections:<br>
<br>
- The list (openssl-blacklist) is subject to change or removal.<br>
- The list only covers 2048 and 4096 bit keys.<br>
<br>
The current draft proposes specifying a tool for ROCA (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987901266%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=l9B9jKMt0Y48WIlbd3iWTQVfQBigicKKKpjNF1nfupA%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://github.com/crocs-muni/roca</a>)
and an algorithm for Debian keys.<br>
<br>
The ROCA tool is subject to change or removal, just like the openssl-blacklist package. I propose we instead specify ROCA detection in terms of the paper (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrocs.fi.muni.cz%2Fpublic%2Fpapers%2Frsa_ccs17&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987911226%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Rub6MkznN76aolt0dhOYkfTjJkyVnj0fwZrsJUryXMQ%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://crocs.fi.muni.cz/public/papers/rsa_ccs17</a>)
and ask for permission from the authors to archive an unchanging copy as an addendum to the BRs.<br>
<br>
For Debian keys, what looks like an algorithm specification is actually a tool + algorithm specification. The tool is "OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems" (per CVE-2008-01666 -
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2008-0166&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987911226%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=XpkzHob7aGcgQ5LgbuS5c2jqlj2c9gyXDGCcS3ie4jo%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0166</a>). To ensure an unchanging copy of that, we should archive 3 copies of Debian, for the 3 word size + endianness combinations.<br>
<br>
The algorithm also needs an additional line: "v) using the command 'openssl req -nodes -subj / -newkey rsa:<Public Key length>'" (adapted from
<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsources.debian.org%2Fdata%2Fmain%2Fo%2Fopenssl-blacklist%2F0.5-3%2Fexamples%2Fgen_certs.sh&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987921179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Z40B2ThpBDTlyQLNf5uEi3puNaHScA%2FoA98dbSazm0M%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">
https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/examples/gen_certs.sh</a>). Other tools that linked OpenSSL, like openvpn and openssh, generated different sets of keys. We can include or exclude openvpn and openssh keys, but should thoroughly
specify.<br>
<br>
Lastly, I think we should archive openssl-blacklist, and include in the BRs: "A CA may reject the full set of Debian weak keys by rejecting this superset of the Debian weak keys:<br>
<br>
- All RSA public keys with modulus lengths other than 2048 or 4096, and<br>
- All RSA public keys with exponents other than 65537, and<br>
- All RSA public keys that are detected as vulnerable by the openssl-vulnkey program in the openssl-blacklist package version 0.5-3 (see addendum), or an equivalent program."<br>
<br>
My reasoning: Given the difficulty of correctly setting up old Debian versions and generating weak keys for sizes that are not part of openssl-blacklist, I expect most CAs will choose this path. Given that, we should just say what we mean: the pregenerated
list is fine if you restrict key sizes, but you don't *have* to restrict key sizes, so long as you have an alternate method to ensure you're not issuing for Debian weak keys at other sizes.<br>
<br>
*I'm considering specifying an algorithm to be functionally equivalent to specifying an "outcome," though I recognize this may be too hand-wavy.</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-right:0in; margin-bottom:12.0pt; margin-left:0in">
</p>
<pre style="margin: 0in; font-size: 10pt; font-family: "Courier New";">_______________________________________________</pre>
<pre style="margin: 0in; font-size: 10pt; font-family: "Courier New";">Servercert-wg mailing list</pre>
<pre style="margin: 0in; font-size: 10pt; font-family: "Courier New";"><a href="mailto:Servercert-wg@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">Servercert-wg@cabforum.org</a></pre>
<pre style="margin: 0in; font-size: 10pt; font-family: "Courier New";"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=04%7C01%7Crob%40sectigo.com%7Ca8c9d97cd4114ebf508708d9930d343d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637702508987921179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ViXtSngAJ8HKviLem1BbQNX0DxAHLQuEQIlYXiHUgXw%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></pre>
</blockquote>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
</p>
</div>
</div>
</div>
</blockquote>
<p class="x_xmsonormal" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin:0in">
</p>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>