[Servercert-wg] Updating BR 6.1.1.3
Christopher Kemmerer
chris at ssl.com
Tue Apr 7 12:14:00 MST 2020
We would like to open discussion on strengthening the following language
in the Baseline Requirements Section 6.1.1.3. Subscriber Key Pair
Generation.
It would appear that the language of this section is more or less the
same as that adopted in Version 1.0 of the BRs (adopted on 22 November
2011 with an Effective Date of 1 July 2012):
"9.5 Subscriber Public Key
The CA SHALL reject a certificate request if the requested Public Key
does not meet the requirements set forth in
Appendix A or if it has a known weak Private Key (such as a Debian weak
key, see http://wiki.debian.org/SSLkeys)."
There seems to be variation among CAs in implementing checks against
collections of known weak keys. The result has been periodic issuance of
certificates using weak private keys [1][2][3][4].
It has come to our attention that the existing language is vague enough
to be subject to multiple interpretations, leading to instances wherein
a CA may be technically in compliance with the stated requirement but
may still issue a certificate using a weak Private Key.
All CAs MUST consult blacklists, but if these blacklists are incomplete
then this will remain an exploitable attack surface.
We would like to recommend a possible update to section 6.1.1.3:
CHANGE:
"The CA SHALL reject a certificate request if the requested Public Key
does not meet the requirements set forth in Sections 6.1.5 and 6.1.6 or
if it has a known weak Private Key (such as a Debian weak key, see
http://wiki.debian.org/SSLkeys)"
TO:
"The CA SHALL reject a certificate request if the requested Public Key
does not meet the requirements set forth in Sections 6.1.5 and 6.1.6 or
if it has a known weak Private Key (such as a Debian weak key, see
http://wiki.debian.org/SSLkeys)". The minimum set for the Debian weak
keys can be found at
https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/."
This would clarify that all CAs SHALL block at least the vulnerable keys
produced by OpenSSL.
Thank you.
Chris Kemmerer
SSL.com
---------------------------------------
[1]
https://community.letsencrypt.org/t/2017-09-09-late-weak-key-revocation/42519
(please direct me to the corresponding bug, if any)
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1620772
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1435770
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1472052
=======================================
See also related BR section:
4.9.1.1 Reasons for Revoking a Subscriber Certificate
"The CA SHOULD revoke a certificate within 24 hours and MUST revoke a
Certificate within 5 days if one or
more of the following occurs:
<snip>
11. The CA is made aware of a demonstrated or proven method that exposes
the Subscriber's Private Key
to compromise, methods have been developed that can easily calculate it
based on the Public Key
(such as a Debian weak key, see http://wiki.debian.org/SSLkeys), or if
there is clear evidence that the
specific method used to generate the Private Key was flawed."
=======================================
--
Chris Kemmerer
Manager of Operations
SSL.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~ To find the reefs, look ~~~~~~~
~~~~ for the wrecks. ~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Servercert-wg
mailing list