<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Thanks for your suggestion, Martijn. We ourselves wouldn't object
to this addition, though we'd certainly like to poll the community
on their thoughts.<br>
<br>
We see that the vulnerability you address has been assigned <a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln/detail/CVE-2022-26320">https://nvd.nist.gov/vuln/detail/CVE-2022-26320</a>,
with <a class="moz-txt-link-freetext" href="https://fermatattack.secvuln.info/">https://fermatattack.secvuln.info/</a>
looking like the main resource for this issue. We also note (per
that latter site) that Let's Encrypt has updated Boulder to check
for this vulnerability (<a class="moz-txt-link-freetext" href="https://github.com/letsencrypt/boulder/pull/5853">https://github.com/letsencrypt/boulder/pull/5853</a>).<br>
<br>
The Debian weak key and ROCA vulnerabilities have been known lo
these many years (although not all CAs had sufficient safeguards
in place, and the sections of the BRs provided less than
comprehensive guidance on what those safeguards should be - hence
this ballot initiative).<br>
<br>
Since CVE-2022-26320 was only published March 14 2022, one
alternative would be would be to defer a decision on the Fermat
attack language to another, later ballot, but we again invite
community input on incorporating this suggestion into our current
proposed ballot.<br>
<br>
One practical question (not addressed in our current language)
would be the deadline for CAs to add the checks required in this
ballot, with our thought being to place it in the nearer term
(some few months after ballot passage/review) but not immediately
upon adoption of the ballot. This particularly is of interest for
any changes/checks required for CVE-2022-26320, but in our view
any deadline should be considered to apply to all vulnerabilities
addressed in this ballot.<br>
<br>
Thanks,<br>
<br>
Chris K</p>
<div class="moz-cite-prefix">On 4/5/2022 4:53 AM, Martijn Katerbarg
wrote:<br>
</div>
<blockquote type="cite" cite="mid:PH0PR17MB5390ABCACE93B657D27C8133E3E49@PH0PR17MB5390.namprd17.prod.outlook.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">Hi Chris,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">I would like to propose an additional check to
the proposed language so it includes checking for the Close
Primes vulnerability. For this I’d like to propose we add to
6.1.1.3 (4):<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">“c) In the case of Close Primes vulnerability,
the CA SHALL reject weak keys identified within 100 rounds
using Fermat’s factorization method”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US">Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a> <b>On Behalf
Of </b>Chris Kemmerer via Servercert-wg<br>
<b>Sent:</b> Thursday, 31 March 2022 16:43<br>
<b>To:</b> Jaime Hablutzel via Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] [EXTERNAL]-Re: SCXX
Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FAFA03"><span style="font-size:10.0pt;color:black">CAUTION: This email
originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender
and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">We are pleased to return to discussion of
this proposed ballot, which we've reprinted immediately
below.<br>
<br>
Based on the discussion thus far, we've addressed Corey's
point by adding the <b>bolded </b>line re: which
modulus/exponents a CA MUST check. (We generally agree with
Jaime's suggestion that CAs <i>should </i>check the
modulus only but don't see it as crucial to explicitly state
this in the ballot.)<o:p></o:p></p>
<p>We've also updated the version in the proposal.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">If this
ballot proceeds the next available designation would be
SC55.<br>
<br>
Many thanks,<br>
<br>
Chris K<br>
<br>
<br>
===== <br>
<br>
--- Motion Begins --- <br>
<br>
<br>
This ballot modifies the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates” as
follows, based on Version 1.8.2: <br>
<br>
<br>
Proposed ballot language: <br>
<br>
<br>
<i>4.9.1.1 Reasons for Revoking a Subscriber Certificate </i><br>
<br>
<br>
Replace: <br>
<br>
<br>
4. The CA is made aware of a demonstrated or proven method
that can easily compute the Subscriber’s Private Key based
on the Public Key in the Certificate (such as a Debian weak
key, see <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136232894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8x9ca1VgcsVSmIGKG9ElbGst6JfuPXSu2vKAH0w9rVw%3D&reserved=0" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a>)
<br>
<br>
<br>
With: <br>
<br>
<br>
4. The CA is made aware of a demonstrated or proven method
that can easily compute the Subscriber’s Private Key (such
as those identified in 6.1.1.3(4)). <br>
<br>
--- <br>
<br>
<i>6.1.1.3. Subscriber Key Pair Generation </i><br>
<br>
<br>
Replace: <br>
<br>
<br>
The CA SHALL reject a certificate request if one or more of
the following conditions are met: <br>
<br>
1. The Key Pair does not meet the requirements set forth in
Section 6.1.5 and/or Section 6.1.6; <br>
2. There is clear evidence that the specific method used to
generate the Private Key was flawed; <br>
3. The CA is aware of a demonstrated or proven method that
exposes the Applicant's Private Key to compromise; <br>
4. The CA has previously been made aware that the
Applicant's Private Key has suffered a Key Compromise, such
as through the provisions of Section 4.9.1.1; <br>
5. The CA is aware of a demonstrated or proven method to
easily compute the Applicant's Private Key based on the
Public Key (such as a Debian weak key, see <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136232894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8x9ca1VgcsVSmIGKG9ElbGst6JfuPXSu2vKAH0w9rVw%3D&reserved=0" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a>).
<br>
<br>
<br>
With: <br>
<br>
<br>
The CA SHALL reject a certificate request if one or more of
the following occurs: <br>
<br>
1) The requested Public Key does not meet the requirements
set forth in Sections 6.1.5 and/or 6.1.6; <br>
2) The CA is aware of a demonstrated or proven method that
exposes the Subscriber's Private Key to compromise; <br>
3) The CA has previously been made aware that the
Subscriber's Private Key has suffered a Key Compromise, such
as through the provisions of Section 4.9.1.1; <br>
4) The Public Key corresponds to an industry demonstrated
weak Private Key, in particular: <br>
a) In the case of ROCA vulnerability, the CA SHALL reject
keys identified by the tools available at <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136232894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=YUBrn1dQs%2FL37Q%2BABmbpLpAOUq4pICFaLfhYFe%2BZZqo%3D&reserved=0" moz-do-not-send="true">https://github.com/crocs-muni/roca</a>
or equivalent. <br>
b) In the case of Debian weak keys (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136232894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8x9ca1VgcsVSmIGKG9ElbGst6JfuPXSu2vKAH0w9rVw%3D&reserved=0" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a>),
the CA SHALL reject at least keys generated by the flawed
OpenSSL version with the combination of the following
parameters: <br>
<br>
i) Big-endian 32-bit, little-endian 32-bit, and
little-endian 64-bit architecture; <br>
ii) Process ID of 0 to 32767, inclusive; <br>
iii) All RSA Public Key lengths supported by the CA up to
and including 4096 bits; <br>
iv) rnd, nornd, and noreadrnd OpenSSL random file state. <br>
<br>
For Debian weak keys not covered above, the CA SHALL take
actions to minimize the probability of certificate issuance.
<br>
<br>
<b>CAs MUST check for Debian weak keys for all RSA modulus
lengths and exponents that they accept.</b> <br>
<br>
--- Motion Ends ---<br>
<br>
=====<o:p></o:p></p>
<div>
<p class="MsoNormal">On 10/28/2021 3:55 PM, Jaime Hablutzel
via Servercert-wg wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">It could be helpful to be a little
bit more explicit on the fact that the required check
is against the modulus only as it could avoid d<span style="border:none windowtext 1.0pt;padding:0cm">evelopers
to implement this check against full public keys,
which </span>can lead to:<o:p></o:p></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo1">Some CAs could unknowingly embark
themselves in the onerous task of generating the
affected key pairs for each different public
exponent, which is not really required.<o:p></o:p></li>
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo1">Because of the higher amount of work
required for supporting/maintaining the check in
this way, some CAs might mistakenly omit checking
some subscriber keys, e.g. they might have in their
blocklists only the affected public keys with the
public exponent set to 65537, even when they
(unintentionally) support subscriber keys with other
values for the public exponent.<o:p></o:p></li>
</ul>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Thu, 28 Oct 2021 at 03:02
Rob Stradling <<a href="mailto:rob@sectigo.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">rob@sectigo.com</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">> I
think we can merely state that CAs must
check for Debian weak keys for all RSA
modulus lengths and exponents that they
accept. Using a comparison of the modulus
(or its hash) is essentially an
implementation detail that we don’t need to
explicitly mandate.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Thanks
Corey. That makes sense.<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center"><span style="font-size:12.0pt;color:black">
<hr width="98%" size="2" align="center"></span></div>
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From:</span></b><span style="font-size:12.0pt;color:black">
Corey Bonnell<br>
<b>Sent:</b> Wednesday, October 27, 2021
18:43<br>
<b>To:</b> Rob Stradling; Jaime Hablutzel;
CA/B Forum Server Certificate WG Public
Discussion List<br>
<b>Cc:</b> Christopher Kemmerer<br>
<b>Subject:</b> RE: [EXTERNAL]-Re:
[Servercert-wg] SCXX Ballot proposal:
Debian Weak keys <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">>
</span><span style="font-size:12.0pt;color:black" lang="EN-US">Hi Jaime. Ooh, you're
right! The affected OpenSSL
versions generate the same
predictable moduli regardless of the
public exponent value.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Yes,
that’s great to know; thanks for
pointing it out.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">>
</span><span style="font-size:12.0pt;color:black" lang="EN-US">What's the best way to
capture all this in the ballot?</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">I
think we can merely state that CAs
must check for Debian weak keys for
all RSA modulus lengths and
exponents that they accept. Using a
comparison of the modulus (or its
hash) is essentially an
implementation detail that we don’t
need to explicitly mandate.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Corey<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0cm 0cm
0cm">
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Rob Stradling <<a href="mailto:rob@sectigo.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">rob@sectigo.com</a>>
<br>
<b>Sent:</b> Wednesday, October
27, 2021 5:31 AM<br>
<b>To:</b> Jaime Hablutzel <<a href="mailto:jhablutz@WISEKEY.COM" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">jhablutz@WISEKEY.COM</a>>;
CA/B Forum Server Certificate WG
Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Cc:</b> Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Corey.Bonnell@digicert.com</a>>;
Christopher Kemmerer <<a href="mailto:chris@ssl.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">chris@ssl.com</a>><br>
<b>Subject:</b> Re:
[EXTERNAL]-Re: [Servercert-wg]
SCXX Ballot proposal: Debian
Weak keys<o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black" lang="EN-US">Hi Jaime. Ooh,
you're right! The affected
OpenSSL versions generate the same
predictable moduli regardless of
the public exponent value.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black" lang="EN-US">So yes, the optimal
approach seems to be for CAs to
use Debian weak key blocklists
that are based on only the RSA
modulus.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black" lang="EN-US">Corey's point applies
if a CA chooses instead to
implement a Debian weak key
blocklist of (for example)
SubjectPublicKeyInfos with public
exponent 65537.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black" lang="EN-US">What's the best way
to capture all this in the ballot?</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center"><span style="font-size:12.0pt;color:black" lang="EN-US">
<hr width="98%" size="1" align="center"></span></div>
<div>
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black" lang="EN-US">From:</span></b><span style="font-size:12.0pt;color:black" lang="EN-US"> Jaime Hablutzel<br>
<b>Sent:</b> Sunday, October 24,
2021 23:25<br>
<b>To:</b> Rob Stradling; CA/B
Forum Server Certificate WG
Public Discussion List<br>
<b>Cc:</b> Corey Bonnell;
Christopher Kemmerer<br>
<b>Subject:</b> Re:
[EXTERNAL]-Re: [Servercert-wg]
SCXX Ballot proposal: Debian
Weak keys </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hi, I might be
(very) wrong here, but,
shouldn’t blocklists be
based only on the RSA
modulus for different key
sizes so validation
implementations match the
module only irrespective of
whatever the public exponent
is? or does the affected
prime generation random
source seed from the public
exponent too?<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On 22 Oct
2021, at 08:58, Rob
Stradling via
Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">> ...my opinion is that we
should introduce a
new requirement such
that CAs must check
for Debian weak keys
for all RSA modulus
lengths and
exponents that they
accept. CAs are
uniquely positioned
to prevent the usage
of these weak keys
in the web PKI, so
there is a security
benefit in mandating
such universal
checks.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Hi Corey. Yeah, OK. You've
persuaded me.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">FWIW, my tools at <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_CVE-2D2008-2D0166%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DgZAtYdIgwjZ_F9FpjPlUFmh9SQve9WXOyzZCTDLhsH4%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136232894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=dOj6qi%2FF9ZwWk4fS%2BQq3Ucz6JokRWbKGCVsLNyYJzK4%3D&reserved=0" target="_blank" moz-do-not-send="true">https://github.com/CVE-2008-0166</a> only
support 65537 at the
moment. I guess
I'll just have to
wait and see if
anyone asks for
other public
exponent values to
be supported. </span><span style="font-size:12.0pt;font-family:"Segoe UI
Emoji",sans-serif" lang="EN-US">🙂</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center"><span style="font-size:12.0pt" lang="EN-US">
<hr style="width:729.1pt" width="972" size="1" align="center"></span></div>
<div>
<p class="MsoNormal"><b><span style="font-size:12.0pt" lang="EN-US">From:</span></b><span style="font-size:12.0pt" lang="EN-US"> Corey
Bonnell<br>
<b>Sent:</b> Tuesday,
October 19, 2021
19:48<br>
<b>To:</b> Rob
Stradling;
Christopher
Kemmerer; CA/B
Forum Server
Certificate WG
Public Discussion
List<br>
<b>Subject:</b> RE:
[Servercert-wg]
SCXX Ballot
proposal: Debian
Weak keys </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hi
Rob,<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Comments
inline.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">> </span><span style="font-size:12.0pt" lang="EN-US">AFAICT, in the affected Debian
OpenSSL
versions:</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> - "openssl req -newkey" had a
hardcoded
public
exponent of
65537 (see </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_req.c-23L768%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DVu5UXlPv7euZNJXCO15ReMLK_k5MyC3YaUliVn6DQcU%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136232894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=dV2nAqxk5HxFKvhzIWuFMpj03cgq%2BNAHSccBAOFJ4EQ%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</span></a></span><span style="font-size:12.0pt" lang="EN-US">).</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> - "openssl genrsa" defaulted to
65537, but
provided a
"-3"
command-line
option to use
a public
exponent of 3
instead (see </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_genrsa.c%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DMXbwubefERoNQfWd4kC0f7rxRrBl5yB1YZ2Y3OmPQoo%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Rqz2JvLfMmLq8G6K1BzsRglmsNOnUQ061l5XfP3ZX4g%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c</span></a></span><span style="font-size:12.0pt" lang="EN-US">).</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">As
you point out,
the
command-line
tooling
bundled with
OpenSSL 0,9.8
generally
restricted the
allowed
exponent.
However, the
RSA key
generation API
allowed any
exponent to be
specified [1],
so it is
possible that
a custom
application
passed
exponent
values besides
3 or 65537 to
the RSA key
generation
function.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">> </span><span style="font-size:12.0pt" lang="EN-US">Are there any good reasons to
continue to
permit the
public
exponent 3 ?</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Judging
from Censys,
it appears
that there are
some publicly
trusted
certificates
containing RSA
keys with an
exponent of 3,
so there will
presumably be
a (minor)
ecosystem
impact if an
exponent value
of 3 were
banned. That
being said,
exponents
smaller than
65537 are
outside the
SHOULD-level
exponent range
since BR
v1.1.3 (now in
section 6.1.6)
so perhaps
it’s time to
consider
strengthening
the SHOULD to
a MUST.
Probably such
a change would
be outside the
scope of this
ballot,
though.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">> </span><span style="font-size:12.0pt" lang="EN-US">The "openssl-vulnkey" tool that
Debian used to
ship only
provided
blocklists for
keys with
public
exponents of
65537, so
should we take
that as a sign
that CAs
needn't
perform a
Debian weak
key check when
the public
exponent is
anything other
than 65537 ?</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">While
the precedent
set by
accepted
remediations
for incidents
surrounding
Debian weak
keys has been
for CAs to
check the
lists
distributed in
the
openssl-blacklist
Debian
package, my
opinion is
that we should
introduce a
new
requirement
such that CAs
must check for
Debian weak
keys for all
RSA modulus
lengths and
exponents that
they accept.
CAs are
uniquely
positioned to
prevent the
usage of these
weak keys in
the web PKI,
so there is a
security
benefit in
mandating such
universal
checks.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Corey<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">[1] <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_crypto_rsa_rsa-5Fgen.c-23L78%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DBZt9wGuErHLlj4PgA-Q_BWX-TmBE7NrL_QZcjyFCmLs%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hMaYHOG%2B8wSNVUpKO5x3%2BojdR%2BQ048WwvCHZQDTB1jw%3D&reserved=0" target="_blank" moz-do-not-send="true">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/crypto/rsa/rsa_gen.c#L78</a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid
#E1E1E1
1.0pt;padding:3.0pt
0cm 0cm 0cm">
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Rob
Stradling <<a href="mailto:rob@sectigo.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">rob@sectigo.com</a>> <br>
<b>Sent:</b> Tuesday,
October 19,
2021 11:31 AM<br>
<b>To:</b> Christopher
Kemmerer <<a href="mailto:chris@ssl.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">chris@ssl.com</a>>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <<a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>;
Corey Bonnell
<<a href="mailto:Corey.Bonnell@digicert.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Corey.Bonnell@digicert.com</a>><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Hi Corey.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">AFAICT, in the affected Debian
OpenSSL
versions:</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> - "openssl req -newkey" had a
hardcoded
public
exponent of
65537 (see </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_req.c-23L768%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DVu5UXlPv7euZNJXCO15ReMLK_k5MyC3YaUliVn6DQcU%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VeNPVcMlOCOuIVZYK17WxVv06s6pSQqhmXWfHmN4C1M%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</span></a></span><span style="font-size:12.0pt" lang="EN-US">).</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> - "openssl genrsa" defaulted to
65537, but
provided a
"-3"
command-line
option to use
a public
exponent of 3
instead (see </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_genrsa.c%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DMXbwubefERoNQfWd4kC0f7rxRrBl5yB1YZ2Y3OmPQoo%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Rqz2JvLfMmLq8G6K1BzsRglmsNOnUQ061l5XfP3ZX4g%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c</span></a></span><span style="font-size:12.0pt" lang="EN-US">).</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Are there any good reasons to
continue to
permit the
public
exponent 3 ?</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">The "openssl-vulnkey" tool that
Debian used to
ship only
provided
blocklists for
keys with
public
exponents of
65537, so
should we take
that as a sign
that CAs
needn't
perform a
Debian weak
key check when
the public
exponent is
anything other
than 65537 ?</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div class="MsoNormal" style="text-align:center" align="center"><span lang="EN-US">
<hr width="98%" size="1" align="center"></span></div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_divRplyFwdMsg">
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Servercert-wg
<<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>>
on behalf of
Corey Bonnell
via
Servercert-wg
<<a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Sent:</b> 19
October 2021
15:31<br>
<b>To:</b> Christopher
Kemmerer <<a href="mailto:chris@ssl.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">chris@ssl.com</a>>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <<a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div style="border:solid
black
1.0pt;padding:2.0pt
2.0pt 2.0pt
2.0pt">
<div>
<div>
<p class="MsoNormal" style="line-height:12.0pt;background:#FAFA03"><span style="font-size:10.0pt;color:black" lang="EN-US">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hi
Chris,<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Apologies
for the late
reply. I
noticed that
the current
proposed
language has
no guidance
regarding RSA
exponents. I
think it would
be useful to
specify the
expectations
in this regard
(whether the
CA must check
for weak keys
for all key
lengths and
exponent
combinations
accepted/supported
by the CA, or
if checking
weak key lists
for only
exponents 3
and 65537 is
sufficient,
etc.).<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Corey<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div style="border:none;border-top:solid
#E1E1E1
1.0pt;padding:3.0pt
0cm 0cm 0cm">
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Servercert-wg
<<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>> <b>On
Behalf Of </b>Christopher
Kemmerer via
Servercert-wg<br>
<b>Sent:</b> Friday,
October 15,
2021 10:33 AM<br>
<b>To:</b> Rob
Stradling <<a href="mailto:rob@sectigo.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">rob@sectigo.com</a>>;
Dimitris
Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">dzacharo@harica.gr</a>>; CA/B Forum
Server
Certificate WG
Public
Discussion
List <<a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>;
Jacob
Hoffman-Andrews
<<a href="mailto:jsha@letsencrypt.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">jsha@letsencrypt.org</a>><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" lang="EN-US">Thank
you, Rob, and
shall watch
for that
update.
Meanwhile we
are doing a
final-final
pass through
our draft
language for
clarity and
will send it
early next
week.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif" lang="EN-US">Chris
K<br>
<br>
Meanwhile,
we've cycled
our draft
language
through
another review
and have made
IIRC only one
or two minor
edits for
clarity (h/t
BenW).</span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
10/14/2021
9:49 AM, Rob
Stradling
wrote:<o:p></o:p></span></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Today I rediscovered that I'd
previously
generated the
RSA-8192
blocklists
back in
December 2009,
and that
they're still
available at </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fsecure.sectigo.com-252Fdebian-5Fweak-5Fkeys-252F-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987811664-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DBknvgeWEnZ4pvV0PZHrsqaYgYgzgs4wad1Y3lmy1FWk-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DzzVoaIwOBGmJbK59JUU8ZW6-rpOfDM9LW4-DOaggMQQ%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7PK3XDqp3fKOWwkVd%2FT%2F8FZJ6hB6jaSaU0z4pqS8XaE%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://secure.sectigo.com/debian_weak_keys/</span></a></span><span style="font-size:12.0pt" lang="EN-US">. When I compared the old and new
RSA-8192
blocklists, I
found that
~0.8% of the
"rnd" keys are
different. It
looks like,
for reasons
unknown, the
"OpenSSL
random file
state"
misbehaved
occasionally
over the 8
month run that
ended
recently.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">I'll report back once I've
regenerated
and verified
the
problematic
keys.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div class="MsoNormal" style="text-align:center" align="center"><span lang="EN-US">
<hr width="98%" size="1" align="center"></span></div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_divRplyFwdMsg">
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Rob
Stradling <a href="mailto:rob@sectigo.com" target="_blank" moz-do-not-send="true"><rob@sectigo.com></a><br>
<b>Sent:</b> 23
September 2021
19:17<br>
<b>To:</b> Christopher
Kemmerer <a href="mailto:chris@ssl.com" target="_blank" moz-do-not-send="true"><chris@ssl.com></a>;
Dimitris
Zacharopoulos
(HARICA) <a href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true"><dzacharo@harica.gr></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews <a href="mailto:jsha@letsencrypt.org" target="_blank" moz-do-not-send="true"><jsha@letsencrypt.org></a>;
Rob Stradling<a href="mailto:rob@sectigo.com" target="_blank" moz-do-not-send="true"><rob@sectigo.com></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">> BTW, in case it helps, I'm
about half way
through
generating a
full set of
RSA-8192
Debian weak
keys, which
(when
complete) I'll
add to the </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987811664-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DhEYtpXP81bOYFl0bdDSzbg8zxn7gozJ2bXAzE3ZPLwQ-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DCZuzMqYs2tJKnr9PUCkV8xEr-EQLZuEnpygT0nUUNYQ%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=A5DYlUl68xZ%2FC6fq%2BQ72bEW87PPrUIp0Cm2xNVmSZRg%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166</span></a></span><span style="font-size:12.0pt" lang="EN-US"> repositories.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">It took nearly 8 months (using
just a single
core of a
fairly modest
CPU), but it
finally
finished!
Repositories
updated.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div class="MsoNormal" style="text-align:center" align="center"><span lang="EN-US">
<hr width="98%" size="1" align="center"></span></div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_divRplyFwdMsg">
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Servercert-wg <a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a> on
behalf of Rob
Stradling via
Servercert-wg <a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Sent:</b> 13
May 2021 15:42<br>
<b>To:</b> Christopher
Kemmerer <a href="mailto:chris@ssl.com" target="_blank" moz-do-not-send="true"><chris@ssl.com></a>;
Dimitris
Zacharopoulos
(HARICA) <a href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true"><dzacharo@harica.gr></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews <a href="mailto:jsha@letsencrypt.org" target="_blank" moz-do-not-send="true"><jsha@letsencrypt.org></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div style="border:solid
black
1.0pt;padding:2.0pt
2.0pt 2.0pt
2.0pt">
<div>
<div>
<p class="MsoNormal" style="line-height:12.0pt"><span style="font-size:10.0pt;color:black" lang="EN-US">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">> iii) All RSA Public Key
lengths
supported by
the CA up to
and including
4096 bits;</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">> ...</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">> For Debian weak keys not
covered above,
the CA SHALL
take actions
to minimize
the
probability of
certificate
issuance.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Hi Christopher. What sort of
"actions" are
envisaged
here? If a CA
is processing
a certificate
request that
contains a
(for example)
RSA-4088
public key
(i.e., a key
size not
covered by an
available
Debian weak
list), either
the CA is
going to issue
the cert or
they're not.
What,
concretely,
does "minimize
the
probability of
certificate
issuance"
actually mean?</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Why not remove that "SHALL"
sentence and
change point
iii to: "<span style="color:black;background:white">iii) All RSA Public Key lengths
supported by
the CA." ?</span></span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">BTW, in case it helps, I'm about
half way
through
generating a
full set of
RSA-8192
Debian weak
keys, which
(when
complete) I'll
add to the </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987821618-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D34YXT3egxh7Xtc5k5gqy8idcbz9cgokAIz7o8Xwbh94-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DtaqinDAOLRdSvETy9ob78hR_-KPxttqWcUNY_M86mTY%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=h1nffB7MM%2BalufXFr2RtqzJn5BTTV1mdwVtTcY0R25U%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166</span></a></span><span style="font-size:12.0pt" lang="EN-US"> repositories.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div class="MsoNormal" style="text-align:center" align="center"><span lang="EN-US">
<hr width="98%" size="1" align="center"></span></div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_x_divRplyFwdMsg">
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Christopher
Kemmerer <a href="mailto:chris@ssl.com" target="_blank" moz-do-not-send="true"><chris@ssl.com></a><br>
<b>Sent:</b> 13
May 2021 15:12<br>
<b>To:</b> Rob
Stradling <a href="mailto:rob@sectigo.com" target="_blank" moz-do-not-send="true"><rob@sectigo.com></a>;
Dimitris
Zacharopoulos
(HARICA) <a href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true"><dzacharo@harica.gr></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews <a href="mailto:jsha@letsencrypt.org" target="_blank" moz-do-not-send="true"><jsha@letsencrypt.org></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div style="border:solid
black
1.0pt;padding:2.0pt
2.0pt 2.0pt
2.0pt">
<div>
<div>
<p class="MsoNormal" style="line-height:12.0pt"><span style="font-size:10.0pt;color:black" lang="EN-US">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;vertical-align:baseline"><span lang="EN-US">Hello,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;vertical-align:baseline"><span lang="EN-US">We
deeply
appreciate the
useful
discussion in
this thread
regarding this
issue. We
especially
applaud the
efforts of
HARICA and
Sectigo to
independently
generate more
comprehensive
lists of
potentially
affected
Debian weak
keys. As Rob
Stradling
observed
through his
crt.sh
research
(20210107, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgist.github.com-252Frobstradling-252Fa5590b6a13218fe561dcb5d5c67932c5-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987821618-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DQXz4cOmARv-252Fg8-252FJF2NNEW2-252BSbjHJu1pv8X6vjLCx7io-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DEARvfcpJ6O_cJ0KioLW9U0gNj00u2-_njjGSKcTRtE8%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8FnTcPwhH9onW1cBdQFh39X%2F0Rx%2FMMO0VrxTRiNjgdE%3D&reserved=0" target="_blank" moz-do-not-send="true">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a>)
of the five
most utilized
algorithm/key
size
populations,
two are ECC
(so not
impacted by
the Debian
weak key
issue) and
three are RSA
(2048, 4096,
and 3072 bit
length, in
that order).<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;vertical-align:baseline"><span lang="EN-US">As
of their most
recent
messages it
appears that
these two
organizations
have
independently
generated
comprehensive
lists
identifying
all RSA-2048
and -4096 bit
length keys.
(We understand
RSA-3072
length keys
are also
available.)
This offers
the
possibility
that complete
lists, if
accepted as
authoritative,
could be
accessed by
the community
to help
prevent
exploitation
of this
vulnerability.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;vertical-align:baseline"><span lang="EN-US">It
was also noted
(by the
representative
from Let's
Encrypt) that
the ROCA
vulnerability
is presently
identified
through use of
a tool
supported
externally. It
was suggested
that this
resource be
archived in a
manner that
ensures
availability.
(Our proposed
language
points to "<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252Fcrocs-2Dmuni-252F-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987831575-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DZQMlATqs-252BM7Vr3aIgjdrH06gaOrkgAPTbMkM4gcSROs-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DgoTnhfES-zV16ifNjJ90Y_GUk39wftGwqMJiZKuw5aY%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ACBH3LODAg%2FBQA2nRuJ1bKJ%2FqtFNG875uchf9r4kkVQ%3D&reserved=0" target="_blank" moz-do-not-send="true">https://github.com/crocs-muni/</a>roca
or
equivalent.")<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;vertical-align:baseline"><span lang="EN-US">We
think our
present ballot
language
(reproduced at
the end of
this message)
provides
appropriately
focused
guidance to
CAs. If
available,
we'd certainly
like to also
see the
HARICA/Sectigo
lists (which
CAs could use
for the
majority of
Debian weak
key use cases)
captured
somewhere in
this ballot
language. We
are agnostic
as to 1) where
exactly these
resources
might be
maintained and
2) where this
ballot places
directions to
these
resources - an
annex to the
current
requirements,
a separate
CA/BF guidance
document or
within
Sections <a href="https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F4.9.1.1%2F6.1.1.3&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xHV9XUpJR9TEbOf6kZk5n5wQez7Ve84F5OdBB4kMMy0%3D&reserved=0" target="_blank" moz-do-not-send="true">4.9.1.1/6.1.1.3</a>.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;vertical-align:baseline"><span lang="EN-US">Our
intent is to
ensure that 1)
clear,
accurate
guidance on CA
expectations
is provided
and 2) any
resources
assisting CAs
in meeting
these
expectations
are fully
described,
publicly
available
(somewhere)
and with
reliable links
provided. The
language
below, we
feel, meets
the first
requirement.
We'd
appreciate
input on how
to best meet
the second.
(Note that <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__ssl.com_%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3Dj-4qIhXvNMe9dfS8B8CWq0sSP-IOQRNSRmpjiPXIFZw%26m%3DJnxStoHpP62BM2-15Vtby3qBQbCdQrSyCNPjVNH_IS8%26s%3DSGnteTNpPS1X4ickvt5qbC2WDrpValWXK42R9uvwO04%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7p1D5zNiIJclp99%2BvaAEj6XYFWM6gQNKp7oX2aMUisM%3D&reserved=0" target="_blank" moz-do-not-send="true">SSL.com</a> would be happy to
support the
community by
hosting any of
these as
publicly
accessible
resources,
whether solo
or alongside
other
organizations.)<o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">Chris K <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;vertical-align:baseline"><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__ssl.com_%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3Dj-4qIhXvNMe9dfS8B8CWq0sSP-IOQRNSRmpjiPXIFZw%26m%3DJnxStoHpP62BM2-15Vtby3qBQbCdQrSyCNPjVNH_IS8%26s%3DSGnteTNpPS1X4ickvt5qbC2WDrpValWXK42R9uvwO04%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7p1D5zNiIJclp99%2BvaAEj6XYFWM6gQNKp7oX2aMUisM%3D&reserved=0" target="_blank" moz-do-not-send="true">SSL.com</a><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">===== <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">--- Motion Begins
--- <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">This ballot modifies
the “Baseline
Requirements
for the
Issuance and
Management of
Publicly-Trusted Certificates” as follows, based on Version 1.7.4: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">Proposed ballot
language: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><b><span lang="EN-US">4.9.1.1 Reasons
for Revoking a
Subscriber
Certificate</span></b><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">Replace: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">4. The CA is made
aware of a
demonstrated
or proven
method that
can easily
compute the
Subscriber’s
Private Key
based on the
Public Key in
the
Certificate
(such as a
Debian weak
key, see <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwiki.debian.org-252FSSLkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987831575-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DpXeTXYoS8oYMQteThIRSdhISQokGG4nL-252BHSymGxAwPg-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DZtytHt-KbbrRxo2oN_oCa2ihhQEPcupL52pOSa3xs9U%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kG5LdmnjWxcdqraBS1PtwcpmIt3C4PpSv7d8rIF4Pi0%3D&reserved=0" target="_blank" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a>) <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">With: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">4. The CA is made
aware of a
demonstrated
or proven
method that
can easily
compute the
Subscriber’s
Private Key
(such as those
identified in
6.1.1.3(4)). <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">--- <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><b><span lang="EN-US">6.1.1.3.
Subscriber Key
Pair
Generation</span></b><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">Replace: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">The CA SHALL reject a
certificate
request if one
or more of the
following
conditions are
met: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">1. The Key Pair does
not meet the
requirements
set forth in
Section 6.1.5
and/or Section
6.1.6; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">2. There is clear
evidence that
the specific
method used to
generate the
Private Key
was flawed; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">3. The CA is aware of
a demonstrated
or proven
method that
exposes the
Applicant's
Private Key to
compromise; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">4. The CA has
previously
been made
aware that the
Applicant's
Private Key
has suffered a
Key
Compromise,
such as
through the
provisions of
Section
4.9.1.1; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">5. The CA is aware of
a demonstrated
or proven
method to
easily compute
the
Applicant's
Private Key
based on the
Public Key
(such as a
Debian weak
key, see <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwiki.debian.org-252FSSLkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987831575-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DpXeTXYoS8oYMQteThIRSdhISQokGG4nL-252BHSymGxAwPg-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DZtytHt-KbbrRxo2oN_oCa2ihhQEPcupL52pOSa3xs9U%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kG5LdmnjWxcdqraBS1PtwcpmIt3C4PpSv7d8rIF4Pi0%3D&reserved=0" target="_blank" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a>). <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">With: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">The CA SHALL reject a
certificate
request if one
or more of the
following
occurs: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">1) The requested
Public Key
does not meet
the
requirements
set forth in
Sections 6.1.5
and/or 6.1.6; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">2) The CA is aware of
a demonstrated
or proven
method that
exposes the
Subscriber's
Private Key to
compromise; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">3) The CA has
previously
been made
aware that the
Subscriber's
Private Key
has suffered a
Key
Compromise,
such as
through the
provisions of
Section
4.9.1.1; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">4) The Public Key
corresponds to
an industry
demonstrated
weak Private
Key, in
particular: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">a) In the case of
ROCA
vulnerability,
the CA SHALL
reject keys
identified by
the tools
available at <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252Fcrocs-2Dmuni-252Froca-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987841531-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DpVWa4-252Fu9mO6gfEAN2FHOMx83i-252FGSUcG-252BfzyDoHm1xKs-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D6j9rei_kmtaqpNr-93i7Jp1C7q5YNaJtJJ2z3Rn5FzE%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sOc0jxBMRO1Bh391LQToPIwo6fE6epoku2J9wRkRDDI%3D&reserved=0" target="_blank" moz-do-not-send="true">https://github.com/crocs-muni/roca</a> or
equivalent. <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">b) In the case of
Debian weak
keys (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwiki.debian.org-252FSSLkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987841531-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DfJSWwzvoeepBzwSexsg-252FFSKZKusdynxlt-252F1gItUiii0-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D7VJmjfUviaQVQ3rIxm7xE-dFcYL1TLUk2yNWY4hFx0U%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=eXY%2FgzPBMkokDS%2B6t4X7VWv1q8W%2FX4E0dP2BiMb0tUw%3D&reserved=0" target="_blank" moz-do-not-send="true">https://wiki.debian.org/SSLkeys</a>),
the CA SHALL
reject at
least keys
generated by
the flawed
OpenSSL
version with
the
combination of
the following
parameters: <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">i) Big-endian 32-bit,
little-endian
32-bit, and
little-endian
64-bit
architecture; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">ii) Process ID of 0
to 32767,
inclusive; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">iii) All RSA Public
Key lengths
supported by
the CA up to
and including
4096 bits; <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">iv) rnd, nornd, and
noreadrnd
OpenSSL random
file state. <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">For Debian weak keys
not covered
above, the CA
SHALL take
actions to
minimize the
probability of
certificate
issuance. <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><span lang="EN-US">--- Motion Ends ---<o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
1/18/2021 3:34
PM, Rob
Stradling
wrote:<o:p></o:p></span></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">> I'm mid-way through
generating the
RSA-4096 keys.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">The RSA-4096 private keys and
blocklists are
now in </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fprivate-5Fkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987851488-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3Dt2XnHbMAXRIJHGzz-252BLi4gptSfi957l-252Fkz5fcaUc4PxA-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DiSbz-XCr-uFk_7Y8gJ0DA2ii9QYdRcBI5WcrvGeE55Q%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VvQQuIbR%2BqP5yDO1MHaxa6YH9D6uekftx9SfVBUuclE%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/private_keys</span></a></span><span style="font-size:12.0pt" lang="EN-US"> and</span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fopenssl-5Fblocklists-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987851488-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D-252B-252Fmznq3F0GbWZjrE1G08DqSXBOxYTLtIF1l7pLatjoU-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG%25207RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D-tHYY-qeEG6kULte0FSWXNcttvh6n3BUnjh8PTDXi-c%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=huKEGpourXRt3TnJg1AB7gB5zyDmtnmewZqeAWP2KeI%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/openssl_blocklists</span></a></span><span style="font-size:12.0pt" lang="EN-US">.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">The RSA-2048 and RSA-4096 private
keys in </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FHARICA-2Dofficial-252Fdebian-2Dweak-2Dkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987861437-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DFb5kG1Ob413KX19BP-252B37xpIahSiKi2FIZ5NfuZ-252FkuPU-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D_lfhBqavAtNpmBCedDWRhR5JY_praNbAngJx0m7i14E%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=gLStQ%2FdZMNlTHeOzXWQicLfvEEZEiaIC%2BTDegv5hRzs%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/HARICA-official/debian-weak-keys</span></a></span><span style="font-size:12.0pt" lang="EN-US"> (which only covers 2 of the 3
word size /
endianness
combinations)
are identical
to the
equivalents
in </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fprivate-5Fkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987861437-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DoDDkulWGG70BklQLLMR0GsX-252FRIy20y-252FKtw9gGijGyhE-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DyAkqXLZo2IvXlCZvKvbFvweWp1zicZGNjpQ-S6gHQbY%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=z63G6rqaPoyohAlfkvVynfGRagm5g8H0J7nYUBZqZGo%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/private_keys</span></a></span><span style="font-size:12.0pt" lang="EN-US">.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div class="MsoNormal" style="text-align:center" align="center"><span lang="EN-US">
<hr width="98%" size="1" align="center"></span></div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_x_x_divRplyFwdMsg">
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Dimitris
Zacharopoulos
(HARICA) <a href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true"><dzacharo@harica.gr></a><br>
<b>Sent:</b> 14
January 2021
18:39<br>
<b>To:</b> Rob
Stradling <a href="mailto:rob@sectigo.com" target="_blank" moz-do-not-send="true"><rob@sectigo.com></a>; CA/B
Forum Server
Certificate WG
Public
Discussion
List <a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews <a href="mailto:jsha@letsencrypt.org" target="_blank" moz-do-not-send="true"><jsha@letsencrypt.org></a>;
Christopher
Kemmerer <a href="mailto:chris@ssl.com" target="_blank" moz-do-not-send="true"><chris@ssl.com></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div style="border:solid
black
1.0pt;padding:2.0pt
2.0pt 2.0pt
2.0pt">
<div>
<div>
<p class="MsoNormal" style="line-height:12.0pt"><span style="font-size:10.0pt;color:black" lang="EN-US">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
14/1/2021
12:30 π.μ.,
Rob Stradling
wrote:<o:p></o:p></span></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Thanks Dmitris.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">So far I've generated the RSA-2048
and RSA-3072
keys using </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fkey-5Fgenerator-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987871399-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D4kKGwenlWGRmGjkIWofWWWnykgyNAgmJj1knMJ9PFz4-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DNAsWm8iu6UPJcqogRr7ZHylAINg9o87jFWyCbM_GxlE%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hDuv%2BiXo64WgTEIKwzmnMVnmmFP2tR1HM6tbtOBgcZg%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/key_generator</span></a></span><span style="font-size:12.0pt" lang="EN-US"> and uploaded them to </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fprivate-5Fkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987871399-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DDS2Fb707J-252BWD3UlBsOMtUWBl-252B5JkoU3S9twMJn8eSps-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DwLahGmkoShePVAd3354Vg-KIUIG_bUnevY1465It5Jk%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jQzFbtq8Yl4qipII%2BhQ2nc714BTT9rjpe9MS9H8wHl8%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/private_keys</span></a></span><span style="font-size:12.0pt" lang="EN-US">, and I've generated the
corresponding
blocklists and
uploaded them
to </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fopenssl-5Fblocklists-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987871399-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DJtYLdAD8pwpvivoIfMXAeEjofoK0FqoijWEb4Sc9OV4-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DNrxlbUT4xWxoifiZhepNwMg-9wFwdQwvVmKKxNVBuk8%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3PW%2FKRq1pCTqLdjZwW55wK7d5CeO%2F3YvC%2FSyfUBQw%2BA%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://github.com/CVE-2008-0166/openssl_blocklists</span></a></span><span style="font-size:12.0pt" lang="EN-US">. My RSA-2048 blocklists exactly
match the ones
from the
original
Debian
openssl-blacklist
package.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">I'm mid-way through generating the
RSA-4096 keys.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Let's compare keys when we're both
done. </span><span style="font-size:12.0pt;font-family:"Segoe UI
Emoji",sans-serif" lang="EN-US">🙂</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US"><br>
Certainly :-)
the RSA-2048
keys already
match the
fingerprints
from the
openssl-blacklist
Debian
package.<br>
<br>
We did this
work several
months ago but
never found
the time to
make it
publicly
available. We
managed to
break down the
big task and
run jobs in
parallel which
made things a
bit more
interesting.<br>
<br>
It's nice we
did this
independently,
I guess it
increases the
accuracy level
of the
resulted keys
:)<br>
<br>
<br>
Cheers,<br>
Dimitris.<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<div class="MsoNormal" style="text-align:center" align="center"><span lang="EN-US">
<hr width="98%" size="1" align="center"></span></div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_x_x_x_divRplyFwdMsg">
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Dimitris
Zacharopoulos
(HARICA) <a href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true"><dzacharo@harica.gr></a><br>
<b>Sent:</b> 13
January 2021
21:49<br>
<b>To:</b> Rob
Stradling <a href="mailto:rob@sectigo.com" target="_blank" moz-do-not-send="true"><rob@sectigo.com></a>; CA/B
Forum Server
Certificate WG
Public
Discussion
List <a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a>;
Jacob
Hoffman-Andrews <a href="mailto:jsha@letsencrypt.org" target="_blank" moz-do-not-send="true"><jsha@letsencrypt.org></a>;
Christopher
Kemmerer <a href="mailto:chris@ssl.com" target="_blank" moz-do-not-send="true"><chris@ssl.com></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div style="border:solid
black
1.0pt;padding:2.0pt
2.0pt 2.0pt
2.0pt">
<div>
<div>
<p class="MsoNormal" style="line-height:12.0pt"><span style="font-size:10.0pt;color:black" lang="EN-US">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Dear
friends,<br>
<br>
HARICA has
generated the
weak keys (RSA
2048 and 4096
bit lengths)
from the
vulnerable
openssl
package. We
will generate
3072 bit keys
as well and
add them soon.
The
methodology is
described in
the following
GitHub repo
along with the
produced keys:<o:p></o:p></span></p>
</div>
</div>
<ul style="margin-top:0cm" type="disc">
<li class="MsoNormal" style="mso-list:l0 level1 lfo2"><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FHARICA-2Dofficial-252Fdebian-2Dweak-2Dkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987881346-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D61WsoKxsDa5-252FjBab75Y-252FZG4PbcoE3RVkCWg-252BsfY2Aww-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DdWL9G_dD07M3-kQ4faHXjdMzoGF9wF5hEGlN2IrPwiA%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0brL%2BGDdZ1I5yLLl4nBeHllHSoftTBuZGS%2Fn3q4kyoo%3D&reserved=0" target="_blank" moz-do-not-send="true">https://github.com/HARICA-official/debian-weak-keys</a><o:p></o:p></span></li>
</ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span lang="EN-US">Please
review and let
us know if you
spot any
issues or
problems with
our approach
and
methodology.<br>
<br>
As always,
please use
other people's
work at your
own risk.<br>
<br>
<br>
Dimitris.<o:p></o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
7/1/2021 2:25
μ.μ., Rob
Stradling via
Servercert-wg
wrote:<o:p></o:p></span></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">I've used crt.sh to produce a
survey of key
algorithms/sizes in currently unexpired, publicly-trusted server
certificates:</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgist.github.com-252Frobstradling-252Fa5590b6a13218fe561dcb5d5c67932c5-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987881346-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D4qveGxYahVQ6FbihVosw69bsGUs7hG1ytgI6YLxqYbY-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D0JiuTeERFFPZRGiB5foBRJZ5kJjHk51DCLjQbBVwSxc%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MoenCd%2FvAYaP%2FQqEr3eJX0va1tBLQ6W6JkBSA3vEpTs%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</span></a><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">The four most popular choices are
no surprise:
RSA-2048,
P-256,
RSA-4096, and
P-384.
openssl-blacklist
covers
RSA-2048 and
RSA-4096, and
ECC keys are
implicitly not
Debian weak
keys.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Fifth most popular is RSA-3072,
with over 3
million
unexpired,
publicly-trusted
server certs.
openssl-blacklist doesn't cover RSA-3072, but ISTM that this is a key
size that CAs
will want to
permit.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US">Some of the lesser used key sizes
are mostly
likely due to
Subscriber
typos (e.g.,
2408 and 3048
were probably
intended to be
2048, 4048 was
probably
intended to be
either 2048 or
4096, etc),
but some of
the other ones
look like they
were
deliberately
chosen (e.g.,
2432 is
2048+384). Is
it worth
generating
Debian weak
keys/blocklists
for any of
these key
sizes?</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fnvlpubs.nist.gov-252Fnistpubs-252FSpecialPublications-252FNIST.SP.800-2D57pt1r5.pdf-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987891313-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DrG1bgcAgL7P3RtCaCJ0cZTcYPkcUhTlsR4J6ulGFgso-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DzehaaELHzHzxLDM3dCTeAYaSLMufH4svdbHT74RDcq0%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vIK7sBftJDBuoKnRT2r6KzScuNTAJGy8ERKOMcilgIs%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf</span></a></span><span style="font-size:12.0pt" lang="EN-US"> (Table 4, p59) permits RSA-2048
until the end
of 2030,
whereas </span><span lang="EN-US"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.sogis.eu-252Fdocuments-252Fcc-252Fcrypto-252FSOGIS-2DAgreed-2DCryptographic-2DMechanisms-2D1.2.pdf-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987891313-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DgCbutfTj362g-252BHqbrbYgcpm5etqbhCvUFpp8E2UYinE-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D2FZ19CpL6_a-dWd0zh1d-4HiMpn4pWyZ0lsH3f1k140%26e%3D&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136389109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=C46Pj%2FLYs%2BQCN58VkTA27vVyOdW%2BunLI5p2TOQJBjEA%3D&reserved=0" target="_blank" moz-do-not-send="true"><span style="font-size:12.0pt">https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pd
f</span></a></span><span style="font-size:12.0pt" lang="EN-US"> permits RSA-2048 only until the
end of 2025.
It is of
course
possible that
quantum
computing will
render RSA
obsolete
before
Subscribers
need to think
about which
larger RSA
keysize they
want to
migrate to;
however, it
seems prudent
to also plan
for the
possibility
that RSA will
survive and
that some
other RSA
keysize(s)
might become
popular.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
<div class="MsoNormal" style="text-align:center" align="center"><span lang="EN-US">
<hr width="98%" size="1" align="center"></span></div>
<div id="m_-5641879633787292213m_-1239830060004810024x_x_x_x_x_x_x_x_x_divRplyFwdMsg">
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Servercert-wg <a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a> on
behalf of Rob
Stradling via
Servercert-wg <a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Sent:</b> 06
January 2021
16:08<br>
<b>To:</b> Jacob
Hoffman-Andrews <a href="mailto:jsha@letsencrypt.org" target="_blank" moz-do-not-send="true"><jsha@letsencrypt.org></a>;
Christopher
Kemmerer <a href="mailto:chris@ssl.com" target="_blank" moz-do-not-send="true"><chris@ssl.com></a>; CA/B
Forum Server
Certificate WG
Public
Discussion
List <a href="mailto:servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re:
[Servercert-wg] SCXX Ballot proposal: Debian Weak keys<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div style="border:solid
black
1.0pt;padding:2.0pt
2.0pt 2.0pt
2.0pt">
<div>
<div>
<p class="MsoNormal" style="line-height:12.0pt"><span style="font-size:10.0pt;color:black" lang="EN-US">CAUTION:
This email
originated
from outside
of the
organization.
Do not click
links or open
attachments
unless you
recognize the
sender and
know the
content is
safe.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Servercert-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:Servercert-wg@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=04%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0fc747f6575d439bb8fa08da1324bc86%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637843347136545483%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=m65vnSf41jpf%2FpeLbWgfhVsYRS8Xldo2cCafQk37oao%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
</blockquote>
</div>
</div>
</blockquote>
</body>
</html>