<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
We are pleased to return to discussion of this proposed ballot,
which we've reprinted immediately below.<br>
<br>
Based on the discussion thus far, we've addressed Corey's point by
adding the <b>bolded </b>line re: which modulus/exponents a CA
MUST check. (We generally agree with Jaime's suggestion that CAs <i>should
</i>check the modulus only but don't see it as crucial to explicitly
state this in the ballot.)<br>
<p>We've also updated the version in the proposal.<br>
</p>
If this ballot proceeds the next available designation would be
SC55.<br>
<br>
Many thanks,<br>
<br>
Chris K<br>
<br>
<br>
===== <br>
<br>
--- Motion Begins --- <br>
<br>
<br>
This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows, based on
Version 1.8.2: <br>
<br>
<br>
Proposed ballot language: <br>
<br>
<br>
<i>4.9.1.1 Reasons for Revoking a Subscriber Certificate </i><br>
<br>
<br>
Replace: <br>
<br>
<br>
4. The CA is made aware of a demonstrated or proven method that can
easily compute the Subscriber’s Private Key based on the Public Key
in the Certificate (such as a Debian weak key, see
<a class="moz-txt-link-freetext" href="https://wiki.debian.org/SSLkeys">https://wiki.debian.org/SSLkeys</a>) <br>
<br>
<br>
With: <br>
<br>
<br>
4. The CA is made aware of a demonstrated or proven method that can
easily compute the Subscriber’s Private Key (such as those
identified in 6.1.1.3(4)). <br>
<br>
--- <br>
<br>
<i>6.1.1.3. Subscriber Key Pair Generation </i><br>
<br>
<br>
Replace: <br>
<br>
<br>
The CA SHALL reject a certificate request if one or more of the
following conditions are met: <br>
<br>
1. The Key Pair does not meet the requirements set forth in Section
6.1.5 and/or Section 6.1.6; <br>
2. There is clear evidence that the specific method used to generate
the Private Key was flawed; <br>
3. The CA is aware of a demonstrated or proven method that exposes
the Applicant's Private Key to compromise; <br>
4. The CA has previously been made aware that the Applicant's
Private Key has suffered a Key Compromise, such as through the
provisions of Section 4.9.1.1; <br>
5. The CA is aware of a demonstrated or proven method to easily
compute the Applicant's Private Key based on the Public Key (such as
a Debian weak key, see <a class="moz-txt-link-freetext" href="https://wiki.debian.org/SSLkeys">https://wiki.debian.org/SSLkeys</a>). <br>
<br>
<br>
With: <br>
<br>
<br>
The CA SHALL reject a certificate request if one or more of the
following occurs: <br>
<br>
1) The requested Public Key does not meet the requirements set forth
in Sections 6.1.5 and/or 6.1.6; <br>
2) The CA is aware of a demonstrated or proven method that exposes
the Subscriber's Private Key to compromise; <br>
3) The CA has previously been made aware that the Subscriber's
Private Key has suffered a Key Compromise, such as through the
provisions of Section 4.9.1.1; <br>
4) The Public Key corresponds to an industry demonstrated weak
Private Key, in particular: <br>
a) In the case of ROCA vulnerability, the CA SHALL reject keys
identified by the tools available at
<a class="moz-txt-link-freetext" href="https://github.com/crocs-muni/roca">https://github.com/crocs-muni/roca</a> or equivalent. <br>
b) In the case of Debian weak keys
(<a class="moz-txt-link-freetext" href="https://wiki.debian.org/SSLkeys">https://wiki.debian.org/SSLkeys</a>), the CA SHALL reject at least keys
generated by the flawed OpenSSL version with the combination of the
following parameters: <br>
<br>
i) Big-endian 32-bit, little-endian 32-bit, and little-endian 64-bit
architecture; <br>
ii) Process ID of 0 to 32767, inclusive; <br>
iii) All RSA Public Key lengths supported by the CA up to and
including 4096 bits; <br>
iv) rnd, nornd, and noreadrnd OpenSSL random file state. <br>
<br>
For Debian weak keys not covered above, the CA SHALL take actions to
minimize the probability of certificate issuance. <br>
<br>
<b>CAs MUST check for Debian weak keys for all RSA modulus lengths
and exponents that they accept.</b> <br>
<br>
--- Motion Ends ---<br>
<br>
=====<br>
<br>
<div class="moz-cite-prefix">On 10/28/2021 3:55 PM, Jaime Hablutzel
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite" cite="mid:0100017cc8afbb45-28d8b787-662c-468d-b50c-1d528a6e2feb-000000@email.amazonses.com">
<div class="">
<div dir="auto" class="">It could be helpful to be a little bit
more explicit on the fact that the required check is against
the modulus<span style="font-family:Calibri,Arial,Helvetica,sans-serif" class=""> only as it </span><span style="font-family:Calibri,Arial,Helvetica,sans-serif" class="">could avoid d</span><span style="border-color:rgb(0,0,0)" class="">evelopers to</span><span style="font-family:Calibri,Arial,Helvetica,sans-serif;border-color:rgb(0,0,0)" class=""> implement this check against full public keys,
which </span><span style="font-family:Calibri,Arial,Helvetica,sans-serif" class="">can lead to:</span></div>
<div dir="auto" class="">
<ul class="">
<li class=""><span style="font-family: Calibri, Arial,
Helvetica, sans-serif;" class="">Some CAs could </span><span style="font-family: Calibri, Arial, Helvetica,
sans-serif;" class="">unknowingly </span><span style="font-family: Calibri, Arial, Helvetica,
sans-serif;" class="">embark themselves in the onerous
task of generating the affected key pairs for each
different public exponent, which is not really required</span><span style="font-family: Calibri, Arial, Helvetica,
sans-serif;" class="">.</span></li>
<li class=""><span style="font-family: Calibri, Arial,
Helvetica, sans-serif;" class="">Because of the higher
amount of work required for supporting/maintaining the
check in this way, some CAs </span><span style="font-family: Calibri, Arial, Helvetica,
sans-serif;" class="">might mistakenly omit checking
some subscriber keys, e.g. they might have in their
blocklists only the affected public keys with the public
exponent set to 65537, even when they (</span><span style="font-family: Calibri, Arial, Helvetica,
sans-serif;" class="">unintentionally</span><span style="font-family: Calibri, Arial, Helvetica,
sans-serif;" class="">) support subscriber keys with
other values for the public exponent.</span></li>
</ul>
</div>
</div>
<div class="">
<div class=""><br class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 28 Oct 2021 at
03:02 Rob Stradling <<a href="mailto:rob@sectigo.com" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">rob@sectigo.com</a>> wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div dir="ltr" class="">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)" class="">
> I think we can merely state that CAs must check
for Debian weak keys for all RSA modulus lengths and
exponents that they accept. Using a comparison of the
modulus (or its hash) is essentially an implementation
detail that we don’t need to explicitly mandate.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)" class="">
<br class="">
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)" class="">
Thanks Corey. That makes sense.</div>
<div class="">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)" class="">
<br class="">
<hr style="display:inline-block;width:98%;font-family:Calibri,Arial,Helvetica,sans-serif" class="">
<b style="font-family:Calibri,Arial,Helvetica,sans-serif" class="">From:</b> Corey Bonnell<br class="">
<b style="font-family:Calibri,Arial,Helvetica,sans-serif" class="">Sent:</b> Wednesday, October 27, 2021
18:43<br class="">
<b style="font-family:Calibri,Arial,Helvetica,sans-serif" class="">To:</b> Rob Stradling; Jaime Hablutzel;
CA/B Forum Server Certificate WG Public Discussion
List<br class="">
<b style="font-family:Calibri,Arial,Helvetica,sans-serif" class="">Cc:</b> Christopher Kemmerer<br class="">
<b style="font-family:Calibri,Arial,Helvetica,sans-serif" class="">Subject:</b> RE: [EXTERNAL]-Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak
keys
<div style="font-family:Calibri,Arial,Helvetica,sans-serif" class=""><br class="">
</div>
</div>
<div class="">
<div link="blue" vlink="purple" style="word-wrap:break-word" class="" lang="EN-US">
<div class="">
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
> <span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class="">Hi Jaime. Ooh, you're right! The
affected OpenSSL versions generate the same
predictable moduli regardless of the public
exponent value.</span></div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
Yes, that’s great to know; thanks for pointing
it out.</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
> <span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class="">What's the best way to capture all
this in the ballot?</span></div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
I think we can merely state that CAs must
check for Debian weak keys for all RSA modulus
lengths and exponents that they accept. Using
a comparison of the modulus (or its hash) is
essentially an implementation detail that we
don’t need to explicitly mandate.</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
Thanks,</div>
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
Corey</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="border-style:solid none
none;border-top-width:1pt;padding:3pt 0in
0in;border-top-color:rgb(225,225,225)" class="">
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b> Rob Stradling <<a href="mailto:rob@sectigo.com" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">rob@sectigo.com</a>>
<br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b> Wednesday, October
27, 2021 5:31 AM<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b> Jaime Hablutzel <<a href="mailto:jhablutz@WISEKEY.COM" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">jhablutz@WISEKEY.COM</a>>;
CA/B Forum Server Certificate WG Public
Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">servercert-wg@cabforum.org</a>><br class="">
<b style="font-family:Calibri,sans-serif" class="">Cc:</b> Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">Corey.Bonnell@digicert.com</a>>;
Christopher Kemmerer <<a href="mailto:chris@ssl.com" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">chris@ssl.com</a>><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b> Re: [EXTERNAL]-Re:
[Servercert-wg] SCXX Ballot proposal:
Debian Weak keys</div>
</div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class="">Hi Jaime. Ooh, you're right!
The affected OpenSSL versions generate the
same predictable moduli regardless of the
public exponent value.</span></div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class=""> </span></p>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class="">So yes, the optimal approach
seems to be for CAs to use Debian weak key
blocklists that are based on only the RSA
modulus.</span></div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class=""> </span></p>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class="">Corey's point applies if a CA
chooses instead to implement a Debian weak
key blocklist of (for example)
SubjectPublicKeyInfos with public exponent
65537.</span></div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class=""> </span></p>
</div>
<div class="">
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class="">What's the best way to capture
all this in the ballot?</span></div>
</div>
<div class="">
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class=""> </span></p>
<div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;text-align:center" class="" align="center">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class="">
<hr style="font-family:Calibri,sans-serif" class="" width="98%" size="2" align="center">
</span></div>
<div style="margin: 0in; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class=""><span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class="">From:</span></b><span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class=""> Jaime Hablutzel<br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b> Sunday, October 24,
2021 23:25<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b> Rob Stradling; CA/B
Forum Server Certificate WG Public
Discussion List<br class="">
<b style="font-family:Calibri,sans-serif" class="">Cc:</b> Corey Bonnell;
Christopher Kemmerer<br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b> Re:
[EXTERNAL]-Re: [Servercert-wg] SCXX
Ballot proposal: Debian Weak keys
</span></div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif;color:black" class=""> </span></p>
</div>
</div>
<div class="">
<div class="">
<div class="">
<div style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;" class="">
Hi, I might be (very) wrong here, but,
shouldn’t blocklists be based only on
the RSA modulus for different key
sizes so validation implementations
match the module only irrespective of
whatever the public exponent is? or
does the affected prime generation
random source seed from the public
exponent too?</div>
<div class="">
<div style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;" class="">
<br class="">
<br class="">
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt" class="">
<div class="">
<div style="margin: 0in;
font-size: 11pt; font-family:
Calibri, sans-serif;" class="">
On 22 Oct 2021, at 08:58, Rob
Stradling via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">servercert-wg@cabforum.org</a>>
wrote:</div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div class="">
<div style="margin: 0in;
font-size: 11pt; font-family:
Calibri, sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">> ...my opinion
is that we should introduce
a new requirement such that
CAs must check for Debian
weak keys for all RSA
modulus lengths and
exponents that they accept.
CAs are uniquely positioned
to prevent the usage of
these weak keys in the web
PKI, so there is a security
benefit in mandating such
universal checks.</span></div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div style="margin: 0in;
font-size: 11pt; font-family:
Calibri, sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Hi Corey. Yeah,
OK. You've persuaded me.</span></div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div style="margin: 0in;
font-size: 11pt; font-family:
Calibri, sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">FWIW, my tools at<span style="font-family:Calibri,sans-serif" class=""> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_CVE-2D2008-2D0166&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=gZAtYdIgwjZ_F9FpjPlUFmh9SQve9WXOyzZCTDLhsH4&e=" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">https://github.com/CVE-2008-0166</a> only
support 65537 at the
moment. I guess I'll just
have to wait and see if
anyone asks for other public
exponent values to be
supported. <span style="font-family:Calibri,sans-serif" class=""> </span></span><span style="font-size:12pt;font-family:"Segoe UI Emoji",sans-serif" class="">🙂</span><span style="font-size:12pt;font-family:Calibri,sans-serif" class=""></span></div>
</div>
<div class="">
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
<div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;text-align:center" class="" align="center">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">
<hr style="width:729.1pt;font-family:Calibri,sans-serif" class="" width="972" size="2" align="center">
</span></div>
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class=""><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">From:</span></b><span style="font-family:Calibri,sans-serif" class=""><span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></span><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Corey
Bonnell<br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Tuesday, October
19, 2021 19:48<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Rob
Stradling; Christopher
Kemmerer; CA/B Forum
Server Certificate WG
Public Discussion List<br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>RE:
[Servercert-wg] SCXX
Ballot proposal: Debian
Weak keys
</span></div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
</div>
<div class="">
<div class="">
<div class="">
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
Hi Rob,</div>
</div>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
Comments inline.</div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
><span style="font-family:Calibri,sans-serif" class=""> </span><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">AFAICT,
in the affected
Debian OpenSSL
versions:</span></div>
</div>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">
- "openssl req
-newkey" had a
hardcoded public
exponent of 65537
(see </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_req.c-23L768&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=Vu5UXlPv7euZNJXCO15ReMLK_k5MyC3YaUliVn6DQcU&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">).</span></div>
</div>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">
- "openssl genrsa"
defaulted to 65537,
but provided a "-3"
command-line option
to use a public
exponent of 3
instead (see </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_genrsa.c&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=MXbwubefERoNQfWd4kC0f7rxRrBl5yB1YZ2Y3OmPQoo&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">).</span></div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
As you point out, the
command-line tooling
bundled with OpenSSL
0,9.8 generally
restricted the allowed
exponent. However, the
RSA key generation API
allowed any exponent
to be specified [1],
so it is possible that
a custom application
passed exponent values
besides 3 or 65537 to
the RSA key generation
function.</div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
><span style="font-family:Calibri,sans-serif" class=""> </span><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Are there
any good reasons to
continue to permit
the public exponent
3 ?</span></div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
Judging from Censys,
it appears that there
are some publicly
trusted certificates
containing RSA keys
with an exponent of 3,
so there will
presumably be a
(minor) ecosystem
impact if an exponent
value of 3 were
banned. That being
said, exponents
smaller than 65537 are
outside the
SHOULD-level exponent
range since BR v1.1.3
(now in section 6.1.6)
so perhaps it’s time
to consider
strengthening the
SHOULD to a MUST.
Probably such a change
would be outside the
scope of this ballot,
though.</div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
><span style="font-family:Calibri,sans-serif" class=""> </span><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">The
"openssl-vulnkey"
tool that Debian
used to ship only
provided blocklists
for keys with public
exponents of 65537,
so should we take
that as a sign that
CAs needn't perform
a Debian weak key
check when the
public exponent is
anything other than
65537 ?</span></div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
While the precedent
set by accepted
remediations for
incidents surrounding
Debian weak keys has
been for CAs to check
the lists distributed
in the
openssl-blacklist
Debian package, my
opinion is that we
should introduce a new
requirement such that
CAs must check for
Debian weak keys for
all RSA modulus
lengths and exponents
that they accept. CAs
are uniquely
positioned to prevent
the usage of these
weak keys in the web
PKI, so there is a
security benefit in
mandating such
universal checks.</div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
Thanks,</div>
</div>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
Corey</div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="margin: 0in;
font-size: 11pt;
font-family: Calibri,
sans-serif;" class="">
[1]<span style="font-family:Calibri,sans-serif" class=""> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_crypto_rsa_rsa-5Fgen.c-23L78&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=BZt9wGuErHLlj4PgA-Q_BWX-TmBE7NrL_QZcjyFCmLs&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/crypto/rsa/rsa_gen.c#L78</a></div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div style="border-style:solid
none
none;border-top-width:1pt;padding:3pt
0in
0in;border-top-color:rgb(225,225,225)" class="">
<div class="">
<div style="margin:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Rob Stradling
<<a href="mailto:rob@sectigo.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">rob@sectigo.com</a>><span style="font-family:Calibri,sans-serif" class=""> </span><br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Tuesday, October
19, 2021 11:31 AM<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Christopher
Kemmerer <<a href="mailto:chris@ssl.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">chris@ssl.com</a>>;
CA/B Forum Server
Certificate WG
Public Discussion
List <<a href="mailto:servercert-wg@cabforum.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">servercert-wg@cabforum.org</a>>;
Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">Corey.Bonnell@digicert.com</a>><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Re:
[Servercert-wg]
SCXX Ballot
proposal: Debian
Weak keys</div>
</div>
</div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div class="">
<div style="margin:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Hi Corey.</span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">AFAICT,
in the affected
Debian OpenSSL
versions:</span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">
- "openssl req
-newkey" had a
hardcoded public
exponent of 65537
(see </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_req.c-23L768&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=Vu5UXlPv7euZNJXCO15ReMLK_k5MyC3YaUliVn6DQcU&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">).</span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">
- "openssl genrsa"
defaulted to
65537, but
provided a "-3"
command-line
option to use a
public exponent of
3 instead (see </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_genrsa.c&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=MXbwubefERoNQfWd4kC0f7rxRrBl5yB1YZ2Y3OmPQoo&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">).</span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Are there
any good reasons
to continue to
permit the public
exponent 3 ?</span></div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">The
"openssl-vulnkey"
tool that Debian
used to ship only
provided
blocklists for
keys with public
exponents of
65537, so should
we take that as a
sign that CAs
needn't perform a
Debian weak key
check when the
public exponent is
anything other
than 65537 ?</span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;text-align:center" class="" align="center">
<hr style="font-family:Calibri,sans-serif" class="" width="98%" size="2" align="center">
</div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_divRplyFwdMsg" class="">
<div class="">
<div style="margin:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Servercert-wg
<<a href="mailto:servercert-wg-bounces@cabforum.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">servercert-wg-bounces@cabforum.org</a>> on
behalf of Corey
Bonnell via
Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">servercert-wg@cabforum.org</a>><br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>19 October 2021
15:31<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Christopher
Kemmerer <<a href="mailto:chris@ssl.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">chris@ssl.com</a>>; CA/B Forum Server
Certificate WG
Public Discussion
List <<a href="mailto:servercert-wg@cabforum.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">servercert-wg@cabforum.org</a>><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Re:
[Servercert-wg] SCXX
Ballot proposal:
Debian Weak keys</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
</div>
</div>
<div class="">
<div style="border:1pt
solid
black;padding:2pt" class="">
<div class="">
<div style="margin:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;
line-height: 12pt;
background-color:
rgb(250, 250, 3);" class="">
<span style="font-size:10pt;font-family:Calibri,sans-serif;color:black" class="">CAUTION:
This email
originated from
outside of the
organization. Do
not click links
or open
attachments
unless you
recognize the
sender and know
the content is
safe.</span></div>
</div>
</div>
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
</p>
<div class="">
<div class="">
<div class="">
<div style="margin:
0in; font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
Hi Chris,</div>
</div>
<div class="">
<div style="margin:
0in; font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
Apologies for
the late reply.
I noticed that
the current
proposed
language has no
guidance
regarding RSA
exponents. I
think it would
be useful to
specify the
expectations in
this regard
(whether the CA
must check for
weak keys for
all key lengths
and exponent
combinations
accepted/supported
by the CA, or if
checking weak
key lists for
only exponents 3
and 65537 is
sufficient,
etc.).</div>
</div>
<div style="margin-right:
0in; margin-left:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
<div class="">
<div style="margin:
0in; font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
Thanks,</div>
</div>
<div class="">
<div style="margin:
0in; font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
Corey</div>
</div>
<div style="margin-right:
0in; margin-left:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
<div class="">
<div style="border-style:solid
none
none;border-top-width:1pt;padding:3pt
0in
0in;border-top-color:rgb(225,225,225)" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Servercert-wg
<<a href="mailto:servercert-wg-bounces@cabforum.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">servercert-wg-bounces@cabforum.org</a>><span style="font-family:Calibri,sans-serif" class=""> </span><b style="font-family:Calibri,sans-serif" class="">On
Behalf Of<span style="font-family:Calibri,sans-serif" class=""> </span></b>Christopher
Kemmerer via
Servercert-wg<br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Friday, October
15, 2021 10:33
AM<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Rob Stradling
<<a href="mailto:rob@sectigo.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">rob@sectigo.com</a>>;
Dimitris
Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">dzacharo@harica.gr</a>>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <<a href="mailto:servercert-wg@cabforum.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">servercert-wg@cabforum.org</a>>;
Jacob
Hoffman-Andrews
<<a href="mailto:jsha@letsencrypt.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="moz-txt-link-freetext" moz-do-not-send="true">jsha@letsencrypt.org</a>><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Re:
[Servercert-wg]
SCXX Ballot
proposal:
Debian Weak
keys</div>
</div>
</div>
</div>
<div style="margin-right:
0in; margin-left:
0in; font-size:
11pt; font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:9pt;font-family:Helvetica,sans-serif" class="">Thank
you, Rob, and
shall watch for
that update.
Meanwhile we are
doing a
final-final pass
through our
draft language
for clarity and
will send it
early next week.</span></p>
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif" class="">
<span style="font-size:9pt;font-family:Helvetica,sans-serif" class="">Chris K<br class="">
<br class="">
Meanwhile, we've
cycled our draft
language
through another
review and have
made IIRC only
one or two minor
edits for
clarity (h/t
BenW).</span></p>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
On 10/14/2021
9:49 AM, Rob
Stradling
wrote:</div>
</div>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt" class="">
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Today
I rediscovered
that I'd
previously
generated the
RSA-8192
blocklists
back in
December 2009,
and that
they're still
available at<span style="font-family:Calibri,sans-serif" class=""> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fsecure.sectigo.com-252Fdebian-5Fweak-5Fkeys-252F-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987811664-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DBknvgeWEnZ4pvV0PZHrsqaYgYgzgs4wad1Y3lmy1FWk-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=zzVoaIwOBGmJbK59JUU8ZW6-rpOfDM9LW4-DOaggMQQ&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://secure.sectigo.com/debian_weak_keys/</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">. When I
compared the
old and new
RSA-8192
blocklists, I
found that
~0.8% of the
"rnd" keys are
different. It
looks like,
for reasons
unknown, the
"OpenSSL
random file
state"
misbehaved
occasionally
over the 8
month run that
ended
recently.</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">I'll
report back
once I've
regenerated
and verified
the
problematic
keys.</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;text-align:center" class="" align="center">
<hr style="font-family:Calibri,sans-serif" class="" width="98%" size="2" align="center">
</div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_divRplyFwdMsg" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Rob Stradling<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:rob@sectigo.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><rob@sectigo.com></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>23 September
2021 19:17<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Christopher
Kemmerer<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:chris@ssl.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><chris@ssl.com></a>;
Dimitris
Zacharopoulos
(HARICA)<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:dzacharo@harica.gr" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><dzacharo@harica.gr></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg@cabforum.org" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:jsha@letsencrypt.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><jsha@letsencrypt.org></a>;
Rob Stradling<a href="mailto:rob@sectigo.com" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><rob@sectigo.com></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Re:
[Servercert-wg]
SCXX Ballot
proposal:
Debian Weak
keys</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
</div>
</div>
<div class="">
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">> BTW,
in case it
helps, I'm
about half way
through
generating a
full set of
RSA-8192
Debian weak
keys, which
(when
complete) I'll
add to the<span style="font-family:Calibri,sans-serif" class=""> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987811664-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DhEYtpXP81bOYFl0bdDSzbg8zxn7gozJ2bXAzE3ZPLwQ-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=CZuzMqYs2tJKnr9PUCkV8xEr-EQLZuEnpygT0nUUNYQ&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/CVE-2008-0166</span></a><span style="font-family:Calibri,sans-serif" class=""><span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></span><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">repositories.</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">It
took nearly 8
months (using
just a single
core of a
fairly modest
CPU), but it
finally
finished!
Repositories
updated.</span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;text-align:center" class="" align="center">
<hr style="font-family:Calibri,sans-serif" class="" width="98%" size="2" align="center">
</div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_divRplyFwdMsg" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Servercert-wg<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg-bounces@cabforum.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a><span style="font-family:Calibri,sans-serif" class=""> </span>on behalf of Rob
Stradling via
Servercert-wg<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg@cabforum.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>13 May 2021
15:42<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Christopher
Kemmerer<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:chris@ssl.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><chris@ssl.com></a>;
Dimitris
Zacharopoulos
(HARICA)<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:dzacharo@harica.gr" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><dzacharo@harica.gr></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg@cabforum.org" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:jsha@letsencrypt.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><jsha@letsencrypt.org></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Re:
[Servercert-wg]
SCXX Ballot
proposal:
Debian Weak
keys</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
</div>
</div>
<div class="">
<div style="border:1pt
solid
black;padding:2pt" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
line-height:
12pt;
background-color:
rgb(250, 250,
3);" class="">
<span style="font-size:10pt;font-family:Calibri,sans-serif;color:black" class="">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span></div>
</div>
</div>
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
<div class="">
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">> iii)
All RSA Public
Key lengths
supported by
the CA up to
and including
4096 bits;</span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">>
...</span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">> For
Debian weak
keys not
covered above,
the CA SHALL
take actions
to minimize
the
probability of
certificate
issuance.</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Hi
Christopher.
What sort of
"actions" are
envisaged
here? If a CA
is processing
a certificate
request that
contains a
(for example)
RSA-4088
public key
(i.e., a key
size not
covered by an
available
Debian weak
list), either
the CA is
going to issue
the cert or
they're not.
What,
concretely,
does "minimize
the
probability of
certificate
issuance"
actually mean?</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Why
not remove
that "SHALL"
sentence and
change point
iii to: "<span style="font-family:Calibri,sans-serif;background-color:white;color:black" class="">iii)
All RSA Public
Key lengths
supported by
the CA." ?</span></span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">BTW,
in case it
helps, I'm
about half way
through
generating a
full set of
RSA-8192
Debian weak
keys, which
(when
complete) I'll
add to the<span style="font-family:Calibri,sans-serif" class=""> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987821618-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D34YXT3egxh7Xtc5k5gqy8idcbz9cgokAIz7o8Xwbh94-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=taqinDAOLRdSvETy9ob78hR_-KPxttqWcUNY_M86mTY&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/CVE-2008-0166</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> repositories.</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;text-align:center" class="" align="center">
<hr style="font-family:Calibri,sans-serif" class="" width="98%" size="2" align="center">
</div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_x_divRplyFwdMsg" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Christopher
Kemmerer<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:chris@ssl.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><chris@ssl.com></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>13 May 2021
15:12<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Rob Stradling<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:rob@sectigo.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><rob@sectigo.com></a>;
Dimitris
Zacharopoulos
(HARICA)<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:dzacharo@harica.gr" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><dzacharo@harica.gr></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg@cabforum.org" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:jsha@letsencrypt.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><jsha@letsencrypt.org></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Re:
[Servercert-wg]
SCXX Ballot
proposal:
Debian Weak
keys</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
</div>
</div>
<div class="">
<div style="border:1pt
solid
black;padding:2pt" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
line-height:
12pt;
background-color:
rgb(250, 250,
3);" class="">
<span style="font-size:10pt;font-family:Calibri,sans-serif;color:black" class="">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span></div>
</div>
</div>
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
<div class="">
<div class="">
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class="">Hello,</span></p>
</div>
<div class="">
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class="">We
deeply
appreciate the
useful
discussion in
this thread
regarding this
issue. We
especially
applaud the
efforts of
HARICA and
Sectigo to
independently
generate more
comprehensive
lists of
potentially
affected
Debian weak
keys. As Rob
Stradling
observed
through his
crt.sh
research
(20210107,</span><span style="font-family:Calibri,sans-serif" class=""> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgist.github.com-252Frobstradling-252Fa5590b6a13218fe561dcb5d5c67932c5-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987821618-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DQXz4cOmARv-252Fg8-252FJF2NNEW2-252BSbjHJu1pv8X6vjLCx7io-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=EARvfcpJ6O_cJ0KioLW9U0gNj00u2-_njjGSKcTRtE8&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a><span style="font-family:Calibri,sans-serif" class="">) of the five most
utilized
algorithm/key
size
populations,
two are ECC
(so not
impacted by
the Debian
weak key
issue) and
three are RSA
(2048, 4096,
and 3072 bit
length, in
that order).</span></p>
</div>
<div class="">
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class="">As of
their most
recent
messages it
appears that
these two
organizations
have
independently
generated
comprehensive
lists
identifying
all RSA-2048
and -4096 bit
length keys.
(We understand
RSA-3072
length keys
are also
available.)
This offers
the
possibility
that complete
lists, if
accepted as
authoritative,
could be
accessed by
the community
to help
prevent
exploitation
of this
vulnerability.</span></p>
</div>
<div class="">
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class="">It
was also noted
(by the
representative
from Let's
Encrypt) that
the ROCA
vulnerability
is presently
identified
through use of
a tool
supported
externally. It
was suggested
that this
resource be
archived in a
manner that
ensures
availability.
(Our proposed
language
points to "</span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252Fcrocs-2Dmuni-252F-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987831575-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DZQMlATqs-252BM7Vr3aIgjdrH06gaOrkgAPTbMkM4gcSROs-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=goTnhfES-zV16ifNjJ90Y_GUk39wftGwqMJiZKuw5aY&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">https://github.com/crocs-muni/</a><span style="font-family:Calibri,sans-serif" class="">roca or equivalent.")</span></p>
</div>
<div class="">
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class="">We
think our
present ballot
language
(reproduced at
the end of
this message)
provides
appropriately
focused
guidance to
CAs. If
available,
we'd certainly
like to also
see the
HARICA/Sectigo
lists (which
CAs could use
for the
majority of
Debian weak
key use cases)
captured
somewhere in
this ballot
language. We
are agnostic
as to 1) where
exactly these
resources
might be
maintained and
2) where this
ballot places
directions to
these
resources - an
annex to the
current
requirements,
a separate
CA/BF guidance
document or
within
Sections <a href="http://4.9.1.1/6.1.1.3" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">4.9.1.1/6.1.1.3</a>.</span></p>
</div>
<div class="">
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class="">Our
intent is to
ensure that 1)
clear,
accurate
guidance on CA
expectations
is provided
and 2) any
resources
assisting CAs
in meeting
these
expectations
are fully
described,
publicly
available
(somewhere)
and with
reliable links
provided. The
language
below, we
feel, meets
the first
requirement.
We'd
appreciate
input on how
to best meet
the second.
(Note that</span><span style="font-family:Calibri,sans-serif" class=""> </span><span style="font-family:Calibri,sans-serif" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__ssl.com_&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=j-4qIhXvNMe9dfS8B8CWq0sSP-IOQRNSRmpjiPXIFZw&m=JnxStoHpP62BM2-15Vtby3qBQbCdQrSyCNPjVNH_IS8&s=SGnteTNpPS1X4ickvt5qbC2WDrpValWXK42R9uvwO04&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">SSL.com</a></span><span style="font-family:Calibri,sans-serif" class=""> </span><span style="font-family:Calibri,sans-serif" class="">would
be happy to
support the
community by
hosting any of
these as
publicly
accessible
resources,
whether solo
or alongside
other
organizations.)</span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">Chris
K</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__ssl.com_&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=j-4qIhXvNMe9dfS8B8CWq0sSP-IOQRNSRmpjiPXIFZw&m=JnxStoHpP62BM2-15Vtby3qBQbCdQrSyCNPjVNH_IS8&s=SGnteTNpPS1X4ickvt5qbC2WDrpValWXK42R9uvwO04&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">SSL.com</a></span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">=====</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">---
Motion Begins
---</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">This
ballot
modifies the
“Baseline
Requirements
for the
Issuance and
Management of
Publicly-Trusted Certificates” as follows, based on Version 1.7.4:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">Proposed
ballot
language:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class=""><b style="font-family:Calibri,sans-serif" class="">4.9.1.1
Reasons for
Revoking a
Subscriber
Certificate</b></span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">Replace:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">4.
The CA is made
aware of a
demonstrated
or proven
method that
can easily
compute the
Subscriber’s
Private Key
based on the
Public Key in
the
Certificate
(such as a
Debian weak
key, see</span><span style="font-family:Calibri,sans-serif" class=""> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwiki.debian.org-252FSSLkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987831575-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DpXeTXYoS8oYMQteThIRSdhISQokGG4nL-252BHSymGxAwPg-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=ZtytHt-KbbrRxo2oN_oCa2ihhQEPcupL52pOSa3xs9U&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a><span style="font-family:Calibri,sans-serif" class="">)</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">With:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">4.
The CA is made
aware of a
demonstrated
or proven
method that
can easily
compute the
Subscriber’s
Private Key
(such as those
identified in
6.1.1.3(4)).</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">---</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class=""><b style="font-family:Calibri,sans-serif" class="">6.1.1.3.
Subscriber Key
Pair
Generation</b></span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">Replace:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">The
CA SHALL
reject a
certificate
request if one
or more of the
following
conditions are
met:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">1.
The Key Pair
does not meet
the
requirements
set forth in
Section 6.1.5
and/or Section
6.1.6;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">2.
There is clear
evidence that
the specific
method used to
generate the
Private Key
was flawed;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">3.
The CA is
aware of a
demonstrated
or proven
method that
exposes the
Applicant's
Private Key to
compromise;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">4.
The CA has
previously
been made
aware that the
Applicant's
Private Key
has suffered a
Key
Compromise,
such as
through the
provisions of
Section
4.9.1.1;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">5.
The CA is
aware of a
demonstrated
or proven
method to
easily compute
the
Applicant's
Private Key
based on the
Public Key
(such as a
Debian weak
key, see</span><span style="font-family:Calibri,sans-serif" class=""> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwiki.debian.org-252FSSLkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987831575-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DpXeTXYoS8oYMQteThIRSdhISQokGG4nL-252BHSymGxAwPg-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=ZtytHt-KbbrRxo2oN_oCa2ihhQEPcupL52pOSa3xs9U&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a><span style="font-family:Calibri,sans-serif" class="">).</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">With:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">The
CA SHALL
reject a
certificate
request if one
or more of the
following
occurs:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">1)
The requested
Public Key
does not meet
the
requirements
set forth in
Sections 6.1.5
and/or 6.1.6;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">2)
The CA is
aware of a
demonstrated
or proven
method that
exposes the
Subscriber's
Private Key to
compromise;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">3)
The CA has
previously
been made
aware that the
Subscriber's
Private Key
has suffered a
Key
Compromise,
such as
through the
provisions of
Section
4.9.1.1;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">4)
The Public Key
corresponds to
an industry
demonstrated
weak Private
Key, in
particular:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">a) In
the case of
ROCA
vulnerability,
the CA SHALL
reject keys
identified by
the tools
available at</span><span style="font-family:Calibri,sans-serif" class=""> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252Fcrocs-2Dmuni-252Froca-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987841531-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DpVWa4-252Fu9mO6gfEAN2FHOMx83i-252FGSUcG-252BfzyDoHm1xKs-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=6j9rei_kmtaqpNr-93i7Jp1C7q5YNaJtJJ2z3Rn5FzE&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">https://github.com/crocs-muni/roca</a><span style="font-family:Calibri,sans-serif" class=""> </span><span style="font-family:Calibri,sans-serif" class="">or
equivalent.</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">b) In
the case of
Debian weak
keys (</span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwiki.debian.org-252FSSLkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987841531-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DfJSWwzvoeepBzwSexsg-252FFSKZKusdynxlt-252F1gItUiii0-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=7VJmjfUviaQVQ3rIxm7xE-dFcYL1TLUk2yNWY4hFx0U&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a><span style="font-family:Calibri,sans-serif" class="">), the CA SHALL reject
at least keys
generated by
the flawed
OpenSSL
version with
the
combination of
the following
parameters:</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">i)
Big-endian
32-bit,
little-endian
32-bit, and
little-endian
64-bit
architecture;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">ii)
Process ID of
0 to 32767,
inclusive;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">iii)
All RSA Public
Key lengths
supported by
the CA up to
and including
4096 bits;</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">iv)
rnd, nornd,
and noreadrnd
OpenSSL random
file state.</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">For
Debian weak
keys not
covered above,
the CA SHALL
take actions
to minimize
the
probability of
certificate
issuance.</span><span style="font-family:Calibri,sans-serif" class=""> </span></div>
</div>
</div>
<div class="">
<p style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;vertical-align:baseline" class="">
<span style="font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
vertical-align:
baseline;" class="">
<span style="font-family:Calibri,sans-serif" class="">---
Motion Ends
---</span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
On 1/18/2021
3:34 PM, Rob
Stradling
wrote:</div>
</div>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt" class="">
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">>
I'm mid-way
through
generating the
RSA-4096 keys.</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">The
RSA-4096
private keys
and blocklists
are now in<span style="font-family:Calibri,sans-serif" class=""> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fprivate-5Fkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987851488-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3Dt2XnHbMAXRIJHGzz-252BLi4gptSfi957l-252Fkz5fcaUc4PxA-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=iSbz-XCr-uFk_7Y8gJ0DA2ii9QYdRcBI5WcrvGeE55Q&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/CVE-2008-0166/private_keys</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> and</span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fopenssl-5Fblocklists-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987851488-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D-252B-252Fmznq3F0GbWZjrE1G08DqSXBOxYTLtIF1l7pLatjoU-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG
7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=-tHYY-qeEG6kULte0FSWXNcttvh6n3BUnjh8PTDXi-c&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/CVE-2008-0166/openssl_blocklists</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">.</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">The
RSA-2048 and
RSA-4096
private keys
in </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FHARICA-2Dofficial-252Fdebian-2Dweak-2Dkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987861437-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DFb5kG1Ob413KX19BP-252B37xpIahSiKi2FIZ5NfuZ-252FkuPU-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=_lfhBqavAtNpmBCedDWRhR5JY_praNbAngJx0m7i14E&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/HARICA-official/debian-weak-keys</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> (which
only covers 2
of the 3 word
size /
endianness
combinations)
are identical
to the
equivalents
in </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fprivate-5Fkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987861437-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DoDDkulWGG70BklQLLMR0GsX-252FRIy20y-252FKtw9gGijGyhE-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=yAkqXLZo2IvXlCZvKvbFvweWp1zicZGNjpQ-S6gHQbY&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/CVE-2008-0166/private_keys</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">.</span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;text-align:center" class="" align="center">
<hr style="font-family:Calibri,sans-serif" class="" width="98%" size="2" align="center">
</div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_x_x_divRplyFwdMsg" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Dimitris
Zacharopoulos
(HARICA)<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:dzacharo@harica.gr" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><dzacharo@harica.gr></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>14 January 2021
18:39<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Rob Stradling<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:rob@sectigo.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><rob@sectigo.com></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg@cabforum.org" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:jsha@letsencrypt.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><jsha@letsencrypt.org></a>;
Christopher
Kemmerer<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:chris@ssl.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><chris@ssl.com></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Re:
[Servercert-wg]
SCXX Ballot
proposal:
Debian Weak
keys</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
</div>
</div>
<div class="">
<div style="border:1pt
solid
black;padding:2pt" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
line-height:
12pt;
background-color:
rgb(250, 250,
3);" class="">
<span style="font-size:10pt;font-family:Calibri,sans-serif;color:black" class="">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span></div>
</div>
</div>
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
On 14/1/2021
12:30 π.μ.,
Rob Stradling
wrote:</div>
</div>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt" class="">
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Thanks
Dmitris.</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">So
far I've
generated the
RSA-2048 and
RSA-3072 keys
using<span style="font-family:Calibri,sans-serif" class=""> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fkey-5Fgenerator-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987871399-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D4kKGwenlWGRmGjkIWofWWWnykgyNAgmJj1knMJ9PFz4-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=NAsWm8iu6UPJcqogRr7ZHylAINg9o87jFWyCbM_GxlE&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/CVE-2008-0166/key_generator</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> and
uploaded them
to<span style="font-family:Calibri,sans-serif" class=""> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fprivate-5Fkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987871399-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DDS2Fb707J-252BWD3UlBsOMtUWBl-252B5JkoU3S9twMJn8eSps-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=wLahGmkoShePVAd3354Vg-KIUIG_bUnevY1465It5Jk&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/CVE-2008-0166/private_keys</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">, and
I've generated
the
corresponding
blocklists and
uploaded them
to<span style="font-family:Calibri,sans-serif" class=""> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fopenssl-5Fblocklists-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987871399-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DJtYLdAD8pwpvivoIfMXAeEjofoK0FqoijWEb4Sc9OV4-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=NrxlbUT4xWxoifiZhepNwMg-9wFwdQwvVmKKxNVBuk8&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://github.com/CVE-2008-0166/openssl_blocklists</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">. My
RSA-2048
blocklists
exactly match
the ones from
the original
Debian
openssl-blacklist
package.</span></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">I'm
mid-way
through
generating the
RSA-4096 keys.</span></div>
</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Let's
compare keys
when we're
both done. <span style="font-family:Calibri,sans-serif" class=""> </span></span><span style="font-size:12pt;font-family:"Segoe
UI
Emoji",sans-serif" class="">🙂</span></div>
</div>
</div>
</blockquote>
<div class="">
<p style="margin:0in
0in
12pt;font-size:11pt;font-family:Calibri,sans-serif" class="">
<br class="">
Certainly :-)
the RSA-2048
keys already
match the
fingerprints
from the
openssl-blacklist
Debian
package.<br class="">
<br class="">
We did this
work several
months ago but
never found
the time to
make it
publicly
available. We
managed to
break down the
big task and
run jobs in
parallel which
made things a
bit more
interesting.<br class="">
<br class="">
It's nice we
did this
independently,
I guess it
increases the
accuracy level
of the
resulted keys
:)<br class="">
<br class="">
<br class="">
Cheers,<br class="">
Dimitris.</p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt" class="">
<div class="">
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span><br class="webkit-block-placeholder">
</div>
</div>
<div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;text-align:center" class="" align="center">
<hr style="font-family:Calibri,sans-serif" class="" width="98%" size="2" align="center">
</div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_x_x_x_divRplyFwdMsg" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Dimitris
Zacharopoulos
(HARICA)<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:dzacharo@harica.gr" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><dzacharo@harica.gr></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>13 January 2021
21:49<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Rob Stradling<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:rob@sectigo.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><rob@sectigo.com></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg@cabforum.org" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:jsha@letsencrypt.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><jsha@letsencrypt.org></a>;
Christopher
Kemmerer<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:chris@ssl.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><chris@ssl.com></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Re:
[Servercert-wg]
SCXX Ballot
proposal:
Debian Weak
keys</div>
</div>
<div class="">
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
</div>
</div>
<div class="">
<div style="border:1pt
solid
black;padding:2pt" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
line-height:
12pt;
background-color:
rgb(250, 250,
3);" class="">
<span style="font-size:10pt;font-family:Calibri,sans-serif;color:black" class="">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span></div>
</div>
</div>
<div style="margin-right:
0in;
margin-left:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<br class="webkit-block-placeholder">
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
Dear friends,<br class="">
<br class="">
HARICA has
generated the
weak keys (RSA
2048 and 4096
bit lengths)
from the
vulnerable
openssl
package. We
will generate
3072 bit keys
as well and
add them soon.
The
methodology is
described in
the following
GitHub repo
along with the
produced keys:</div>
</div>
<ul style="margin-bottom:0in;margin-top:0in" class="" type="disc">
<li style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif" class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FHARICA-2Dofficial-252Fdebian-2Dweak-2Dkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987881346-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D61WsoKxsDa5-252FjBab75Y-252FZG4PbcoE3RVkCWg-252BsfY2Aww-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=dWL9G_dD07M3-kQ4faHXjdMzoGF9wF5hEGlN2IrPwiA&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true">https://github.com/HARICA-official/debian-weak-keys</a></li>
</ul>
<p style="font-size:11pt;font-family:Calibri,sans-serif;margin-right:0in;margin-bottom:12pt;margin-left:0in" class="">
Please review
and let us
know if you
spot any
issues or
problems with
our approach
and
methodology.<br class="">
<br class="">
As always,
please use
other people's
work at your
own risk.<br class="">
<br class="">
<br class="">
Dimitris.</p>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
On 7/1/2021
2:25 μ.μ., Rob
Stradling via
Servercert-wg
wrote:</div>
</div>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt" class="">
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">I've
used crt.sh to
produce a
survey of key
algorithms/sizes in currently unexpired, publicly-trusted server
certificates:</span></div>
</div>
</div>
<div class="">
<p style="font-size:11pt;font-family:Calibri,sans-serif;margin:0in" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgist.github.com-252Frobstradling-252Fa5590b6a13218fe561dcb5d5c67932c5-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987881346-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D4qveGxYahVQ6FbihVosw69bsGUs7hG1ytgI6YLxqYbY-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=0JiuTeERFFPZRGiB5foBRJZ5kJjHk51DCLjQbBVwSxc&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</span></a></div>
</div>
</div>
<div class="">
<div class="">
<p style="font-size:11pt;font-family:Calibri,sans-serif;margin:0in" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">The
four most
popular
choices are no
surprise:
RSA-2048,
P-256,
RSA-4096, and
P-384.
openssl-blacklist
covers
RSA-2048 and
RSA-4096, and
ECC keys are
implicitly not
Debian weak
keys.</span></div>
</div>
</div>
<div class="">
<p style="font-size:11pt;font-family:Calibri,sans-serif;margin:0in" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Fifth
most popular
is RSA-3072,
with over 3
million
unexpired,
publicly-trusted
server certs.
openssl-blacklist doesn't cover RSA-3072, but ISTM that this is a key
size that CAs
will want to
permit.</span></div>
</div>
</div>
<div class="">
<p style="font-size:11pt;font-family:Calibri,sans-serif;margin:0in" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class="">Some
of the lesser
used key sizes
are mostly
likely due to
Subscriber
typos (e.g.,
2408 and 3048
were probably
intended to be
2048, 4048 was
probably
intended to be
either 2048 or
4096, etc),
but some of
the other ones
look like they
were
deliberately
chosen (e.g.,
2432 is
2048+384). Is
it worth
generating
Debian weak
keys/blocklists
for any of
these key
sizes?</span></div>
</div>
</div>
<div class="">
<p style="font-size:11pt;font-family:Calibri,sans-serif;margin:0in" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fnvlpubs.nist.gov-252Fnistpubs-252FSpecialPublications-252FNIST.SP.800-2D57pt1r5.pdf-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987891313-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DrG1bgcAgL7P3RtCaCJ0cZTcYPkcUhTlsR4J6ulGFgso-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=zehaaELHzHzxLDM3dCTeAYaSLMufH4svdbHT74RDcq0&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> (Table
4, p59)
permits
RSA-2048 until
the end of
2030, whereas </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.sogis.eu-252Fdocuments-252Fcc-252Fcrypto-252FSOGIS-2DAgreed-2DCryptographic-2DMechanisms-2D1.2.pdf-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987891313-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DgCbutfTj362g-252BHqbrbYgcpm5etqbhCvUFpp8E2UYinE-253D-26reserved-3D0&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=fMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE&s=2FZ19CpL6_a-dWd0zh1d-4HiMpn4pWyZ0lsH3f1k140&e=" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><span style="font-size:12pt;font-family:Calibri,sans-serif" class="">https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pd
f</span></a><span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> permits
RSA-2048 only
until the end
of 2025. It
is of course
possible that
quantum
computing will
render RSA
obsolete
before
Subscribers
need to think
about which
larger RSA
keysize they
want to
migrate to;
however, it
seems prudent
to also plan
for the
possibility
that RSA will
survive and
that some
other RSA
keysize(s)
might become
popular.</span></div>
</div>
</div>
<div class="">
<p style="font-size:11pt;font-family:Calibri,sans-serif;margin:0in" class="">
<span style="font-size:12pt;font-family:Calibri,sans-serif" class=""> </span></p>
</div>
<div style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif;text-align:center" class="" align="center">
<hr style="font-family:Calibri,sans-serif" class="" width="98%" size="2" align="center">
</div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_x_x_x_x_divRplyFwdMsg" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;" class="">
<b style="font-family:Calibri,sans-serif" class="">From:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Servercert-wg<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg-bounces@cabforum.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a><span style="font-family:Calibri,sans-serif" class=""> </span>on behalf of Rob
Stradling via
Servercert-wg<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg@cabforum.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Sent:</b><span style="font-family:Calibri,sans-serif" class=""> </span>06 January 2021
16:08<br class="">
<b style="font-family:Calibri,sans-serif" class="">To:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Jacob
Hoffman-Andrews<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:jsha@letsencrypt.org" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><jsha@letsencrypt.org></a>;
Christopher
Kemmerer<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:chris@ssl.com" rel="noopener
noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><chris@ssl.com></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List<span style="font-family:Calibri,sans-serif" class=""> </span><a href="mailto:servercert-wg@cabforum.org" rel="noopener noreferrer" style="font-family:Calibri,sans-serif" target="_blank" class="" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br class="">
<b style="font-family:Calibri,sans-serif" class="">Subject:</b><span style="font-family:Calibri,sans-serif" class=""> </span>Re:
[Servercert-wg]
SCXX Ballot
proposal:
Debian Weak
keys</div>
</div>
<div class="">
<p style="font-size:11pt;font-family:Calibri,sans-serif;margin:0in" class="">
</p>
</div>
</div>
<div class="">
<div style="border:1pt
solid
black;padding:2pt" class="">
<div class="">
<div style="margin:
0in;
font-size:
11pt;
font-family:
Calibri,
sans-serif;
line-height:
12pt;
background-color:
rgb(250, 250,
3);" class="">
<span style="font-size:10pt;font-family:Calibri,sans-serif;color:black" class="">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
</body>
</html>