[cabfpub] [cabfman] Update of Yngve's BR 1.1 issues + #10

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Fri May 25 12:07:09 MST 2012


On Fri, 25 May 2012 20:33:49 +0200, Rick Andrews  
<Rick_Andrews at symantec.com> wrote:

> Yngve,
>
>> The reason I want this included is that, when the Debian weak keys were
>> discovered, it took months to get those certificates revoked. I want it  
>> to
>> be very clear that, in such cases, the certificate must be revoked
>> immediately (that is, within 24 hours of discovery).
>
> The Debian issue is very different from the recent key entropy issue.  
> With Debian, one was able to publish a complete list of bad keys for all

But the process of getting the certificates revoked still took quite a few  
months (too many IMNSHO).

> CAs to check against. With the recent key entropy issue, there is no  
> such list.

As research progresses, I would not be surprised if such lists, or  
formulas for calculating them, becomes available. The Debian incident can  
be considered one such entropy issue, after all.

The intention is that, as the CA confirms that a certificate have a weak  
key, then it must revoke the affected certificate. The CA cannot delay the  
revocation for weeks and months because the subscriber does not update  
their key and certificate.


-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************


More information about the Public mailing list