
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

In July 2022 we learnt [1] that, contrary to popular belief, OpenSSL on Debian circa 2008 was capable of producing vulnerable ECC keys.  Let's Encrypt posted a detailed incident report related to this topic, which is well worth a read.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

The draft ballot text currently refers only to RSA keys.  <span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">Have the ballot authors considered adding text to address weak Debian ECC keys?</span></div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0">

[1] <a href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/PU2ctmlXUc8/m/_63bBHWfAAAJ">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/PU2ctmlXUc8/m/_63bBHWfAAAJ</a></div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof ContentPasted0 ContentPasted1">

[2] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1789521">https://bugzilla.mozilla.org/show_bug.cgi?id=1789521</a></div>

<div id="appendonsend"></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)" class="elementToProof">

<br>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Servercert-wg <servercert-wg-bounces@cabforum.org> on behalf of Inigo Barreira via Servercert-wg <servercert-wg@cabforum.org><br>

<b>Sent:</b> 16 March 2023 16:11<br>

<b>To:</b> CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br>

<b>Subject:</b> [Servercert-wg] RV: Redline for SC-59: Weak keys ballot</font>

<div> </div>

</div>

<div lang="ES" style="word-wrap:break-word">

<p></p>

<div style="background-color:#FAFA03; width:100%; border-style:solid; border-color:#000000; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">

<span style="color:000000">CAUTION:</span> This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</div>

<br>

<p></p>

<div>

<div class="x_WordSection1">

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;">

<span lang="EN-GB" style="">Forwarding it to the Sever Certificate WG</span></p>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;">

<span lang="EN-GB" style=""> </span></p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0cm 0cm 0cm">

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;">

<b>De:</b> Smcwg-public <smcwg-public-bounces@cabforum.org> <b>En nombre de </b>Chris Kemmerer via Smcwg-public<br>

<b>Enviado el:</b> jueves, 16 de marzo de 2023 15:46<br>

<b>Para:</b> smcwg-public@cabforum.org<br>

<b>Asunto:</b> [Smcwg-public] Redline for SC-59: Weak keys ballot</p>

</div>

</div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;line-height:12.0pt; background:#FAFA03">

<span style="font-size:10.0pt; color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span></p>

</div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;background:white">

<span style="font-size:12.0pt; color:black">Hello,</span></p>

</div>

<div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;background:white">

<span style="font-size:12.0pt; color:black"> </span></p>

</div>

<div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;background:white">

<span style="font-size:12.0pt; color:black">A diff for our proposed changes may be found here: <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2F2c63814...9ecc201%3Fdiff%3Dsplit&data=05%7C01%7Crob%40sectigo.com%7C08fdbbb65b4d49533cd808db26391b8b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638146414795300553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EoNGCR1Ntt2v5L%2BQ6eo2MI3Mt1Q0r61kLql%2Fe4yu%2Fws%3D&reserved=0" data-auth="Verified" originalsrc="https://github.com/cabforum/servercert/compare/2c63814...9ecc201?diff=split" shash="GSC73nxi95RSfZU++4jaAnEt3011wPsXwFXi3E/TcTkKMehnkjYMlY+kAtyEcOr0QHSqVNofOSx6WcZ5WRFzh8HFXy6jbCGdVOweIAfb+eDY8pC/LRg3bWdIxKFbFza7lXmES5vlCA9ZNI4dIysPXVLvPNUApAVFNZeMD2q37gY=">https://github.com/cabforum/servercert/compare/2c63814...9ecc201?diff=split</a></span></p>

</div>

<div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;margin-bottom:12.0pt; background:white">

<span style="font-size:12.0pt; color:black"><br>

This compares the current BR branch (2c63814) with our latest updates. Ben Wilson and Martijn Katerbarg have offered extremely useful suggestions, some of which we have accommodated and others we offer for discussion. Specifically, in 6.1.1.3:</span></p>

</div>

<div>

<ul type="disc" style="margin-bottom: 0cm;">

<li class="x_elementtoproof" style="margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;color:black; background:white">

<span class="x_contentpasted2"><span style="font-size:12.0pt">Our version removes the provision "2. There is clear evidence that the specific method used to generate the Private Key was flawed" as we believe that this case is essentially the same as the next

 one (i.e. "clear evidence" of a flawed method must lead to awareness of the "demonstrated or proven method")</span></span><span style="font-size:12.0pt"></span></li><li class="x_elementtoproof" style="margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;color:black; background:white">

<span class="x_contentpasted2"><span style="font-size:12.0pt">The four items 4 (b) (i though iv) are inclusive (i.e all parameters combined) and are now joined by an "and"</span></span><span style="font-size:12.0pt"></span></li><li class="x_elementtoproof" style="margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;color:black; background:white">

<span class="x_contentpasted2"><span style="font-size:12.0pt">As this ballot covers various weak key issues, "Debian" has been removed where not specifically required</span></span><span style="font-size:12.0pt"></span></li><li class="x_elementtoproof" style="margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;color:black; background:white">

<span class="x_contentpasted2"><span style="font-size:12.0pt">The directive that "CAs MUST check for Debian weak keys for all RSA modulus lengths and exponents that they accept" was added via discussion in our SCWG calls and in our view reinforces and extends

 the provision in 4(b). It should be decided if there will be a cutoff point or not. If a CA wants to support 16384-bit RSA keys, do they have to generate first all Debian weak keys of that size or could it be assumed that such Debian weak keys are not expected

 to have been generated before?</span></span><span style="font-size:12.0pt"></span></li><li class="x_elementtoproof" style="margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;color:black; background:white">

<span class="x_contentpasted2"><span style="font-size:12.0pt">We had included links to specific tools but now see that these (and more!) may be found at

<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2Fresources%2Ftools%2F&data=05%7C01%7Crob%40sectigo.com%7C08fdbbb65b4d49533cd808db26391b8b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638146414795300553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Tvn5lvXOCek6%2BlA3AIFp6%2BQdSJN5aXOxmMmi89%2BA99A%3D&reserved=0" data-auth="Verified" originalsrc="https://cabforum.org/resources/tools/" shash="fjdVT0Mw1qWZSyhx8BmwpEzUKvOOiNs1Fgs/3a7Q42Khp8VvLTMUwka2yMY23dD6squijtNckpqA0J/HlVGCws7R3MyUhHVntTabxeJ9/ZvBHZwgghPNS6OrPU3F0Az1BQcqzw9B4XNGNUyImIpcPK23RoDmnu3dM8ZQEVqa8CA=">

https://cabforum.org/resources/tools/</a> under "Check for Bad Private Keys". We have edited the section to direct to this resource.</span></span><span style="font-size:12.0pt"></span></li></ul>

<div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;background:white">

<span class="x_contentpasted2"><span style="font-size:12.0pt; color:black">Regards,</span></span><span style="font-size:12.0pt; color:black"><br>

<br>

<span class="x_contentpasted2">Chris K</span></span></p>

</div>

<div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;background:white">

<span style="font-size:12.0pt; color:black"> </span></p>

</div>

</div>

<div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;background:white">

<span style="font-size:12.0pt; color:black"> </span></p>

</div>

<div>

<div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;background:white">

<span style="font-size:12.0pt; color:black"> </span></p>

</div>

</div>

<div>

<p class="x_MsoNormal" style="margin: 0cm; font-size: 11pt; font-family: Calibri, sans-serif;background:white">

<span style="font-size:12.0pt; color:black"> </span></p>

</div>

</div>

</div>

</div>

</div>

</body>

</html>