[Servercert-wg] SCXX Ballot proposal: Debian Weak keys
Ryan Sleevi
sleevi at google.com
Wed Jan 6 00:43:38 UTC 2021
On Tue, Jan 5, 2021 at 7:34 PM Jacob Hoffman-Andrews via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> On Tue, Jan 5, 2021 at 9:09 AM Rob Stradling <rob at sectigo.com> wrote:
>
>> Since I still had a copy of my code lying around (and since there wasn't
>> much else going on during Twixmas 😉 ), I figured I could turn it into a
>> tool that's much easier for anyone to use...
>> https://github.com/CVE-2008-0166
>>
>
> This is excellent, Rob! Thanks for making this. So, question for the list:
> Assuming we satisfy ourselves (by code review and examination of the
> output) that these tools generate the same keys that would have been
> generated on an affected Debian system, are folks here supportive of
> normatively specifying the Debian weak key check as a tool-based approach
> that substitutes these tools for the current implicit tool of "a complete
> Debian system?"
>
I'm not sure I understand the benefit/objective you're trying to achieve
here. Maybe I'm misunderstanding, but it seems you're asking should we
specify the process or the result, and it still seems like specifying the
result is the correct approach, regardless of the tool the CA takes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210105/3fae5212/attachment.html>
More information about the Servercert-wg
mailing list