[cabfpub] [EXTERNAL]Re: Issuance of certificates for keys reported as compromised

Wayne Thayer wthayer at mozilla.com
Tue Aug 21 14:55:37 MST 2018


On Tue, Aug 21, 2018 at 2:15 PM Bruce Morton via Public <public at cabforum.org>
wrote:

> BR 6.1.1.3 states “The CA SHALL reject a certificate request if the
> requested Public Key does not meet the requirements set forth in Sections
> 6.1.5 and 6.1.6 or if it has a known weak Private Key (such as a Debian
> weak key, see http://wiki.debian.org/SSLkeys).”
>
>
>
> My assumption is a certificate which has been revoked due to compromise
> has a “weak Private Key.” As such, based on the current BRs, a CA should
> reject certificate requests using a key from a certificate that they
> revoked due to compromise.
>
>
>
If we're talking about the same CA re-signing a key previously used in a
certificate that the CA revoked due to key compromise, then [if nothing
else] the CA must revoke the new certificate within 24 hours per
4.9.1.1(3). Thus, I would expect that CAs are checking for reuse of
compromised private keys prior to issuance.

If we're talking about other CAs rejecting the compromised key, then I have
to question whether there is enough benefit to offset the substantial
effort involved in designing and running a system that isn't susceptible to
the concerns Ryan raised. It'd be interesting to see a proposal.

Bruce.
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Tim
> Hollebeek via Public
> *Sent:* August 21, 2018 4:55 PM
> *To:* Jeremy Rowley <jeremy.rowley at digicert.com>; Ryan Sleevi <
> sleevi at google.com>; CA/Browser Forum Public Discussion List <
> public at cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabfpub] Issuance of certificates for keys
> reported as compromised
>
>
>
> Yes, certainly, at a minimum, CAs should not be issuing new certificates
> for keys they themselves have previously determined to be compromised.
>
>
>
> As you correctly note, this is currently a fairly common occurrence.
>
>
>
> -Tim
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180821/1baadabc/attachment.html>


More information about the Public mailing list