[Servercert-wg] SCXX Ballot proposal: Debian Weak keys

Rob Stradling rob at sectigo.com
Wed Jan 6 15:57:18 UTC 2021


Ryan wrote:
> it still seems like specifying the result is the correct approach, regardless of the tool the CA takes.

+1

It wouldn't hurt for the BRs to suggest suitable tools/resources though.

________________________________
From: Ryan Sleevi <sleevi at google.com>
Sent: 06 January 2021 00:43
To: Jacob Hoffman-Andrews <jsha at letsencrypt.org>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Cc: Rob Stradling <rob at sectigo.com>
Subject: Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.



On Tue, Jan 5, 2021 at 7:34 PM Jacob Hoffman-Andrews via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:
On Tue, Jan 5, 2021 at 9:09 AM Rob Stradling <rob at sectigo.com<mailto:rob at sectigo.com>> wrote:
Since I still had a copy of my code lying around (and since there wasn't much else going on during Twixmas 😉 ), I figured I could turn it into a tool that's much easier for anyone to use...
https://github.com/CVE-2008-0166<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166&data=04%7C01%7Crob%40sectigo.com%7C7743c38f6e3844cafa5208d8b1dc3175%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637454906578126761%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3gqYppDuYCL1%2F4c672DghX27fExpZBuymn1ZdH6ElAs%3D&reserved=0>

This is excellent, Rob! Thanks for making this. So, question for the list: Assuming we satisfy ourselves (by code review and examination of the output) that these tools generate the same keys that would have been generated on an affected Debian system, are folks here supportive of normatively specifying the Debian weak key check as a tool-based approach that substitutes these tools for the current implicit tool of "a complete Debian system?"

I'm not sure I understand the benefit/objective you're trying to achieve here. Maybe I'm misunderstanding, but it seems you're asking should we specify the process or the result, and it still seems like specifying the result is the correct approach, regardless of the tool the CA takes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210106/af687330/attachment.html>


More information about the Servercert-wg mailing list