[Servercert-wg] [EXTERNAL]-Re: SCXX Ballot proposal: Debian Weak keys
Chris Kemmerer
chris at ssl.com
Wed May 4 16:12:26 UTC 2022
Thanks, Karina and Ryan. If we understand correctly the questions are:
1) How does a CA gather useful information to observe 6.1.1.3?
2) Can we clarify 6.1.1.3 item 3 regarding rejection of an request using
a compromised key?
6.1.1.3, both currently and with the proposed changes, does the following:
1) offers *broad *guidance regarding a private key's makeup, generation
and liability to compromise (items 1 and 2 in our proposed version of
6.1.1.3);
2) instructs CAs on handling a *submitted, previously compromised key*
(item 3); and
3) gives *specific *guidance for identified issues (item 4 as proposed
for ROCA/Debian weak keys, and Martijn's suggested addition for the
Fermat attack).
For the broader items, CAs are currently required to be aware of and
protect against issues related to improper key requirements and
demonstrated/proven methods of key compromise. This is existing language
which this proposal does not change, and, as Ryan notes, CAs are
expected to use community resources to track developments and discussion.
Our original intention with this ballot was to correct what we believe
was insufficient guidance specifically for Debian weak key issues, and
for these at least, the work of HARICA and Sectigo has provided the
community a useful tool - a consultable, finite data set to check
against. We do think it'd be useful to include one or more locations for
this resource in this ballot language, if these can be agreed upon.
(We've offered to host this data ourselves, but welcome other options.)
Beyond Debian weak keys, though, we're happy (for some values of happy)
to tackle other matters as well. We are open to language on mitigation
against the Fermat Attack issue, and will note again that Let's Encrypt
has updated Boulder to address this
(https://github.com/letsencrypt/boulder/pull/5853). Is Martijn's
proposal sufficient?
For Karina's point re: Subscriber Key Compromise, we agree that the
language could be clarified so that the particular (compromised) key is
the unit of rejection rather than the Subscriber. Perhaps something like
(addition in *bold*):
"The CA has previously been made aware that the Subscriber's *submitted
*Private Key has suffered a Key Compromise, such as through the
provisions of Section 4.9.1.1;"
On 5/2/2022 11:12 AM, Ryan Sleevi wrote:
>
>
> On Mon, May 2, 2022 at 11:25 AM Karina Sirota via Servercert-wg
> <servercert-wg at cabforum.org> wrote:
>
> There are some primary concerns about this- mainly, how would a
> CA be aware of gathering the information mentioned in most of the
> methods below?
>
>
> At a minimum, problem reports that credibly demonstrate this
> information. Equally, a broadcast to the CA/Browser Forum Members list
> (e.g. for security relevant disclosures) could also be argued as the
> CA being made aware.
>
> Can we get more specific about the methods that expose private
> keys or how a CA should gather this information: “b) In the case
> of Debian weak keys (https://wiki.debian.org/SSLkeys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ATNh%2BnLhaXmkh8bFEh6LVti4l5wVi%2FGnnvy2fm32bio%3D&reserved=0>),
> the CA SHALL reject at least keys generated by the flawed OpenSSL
> version with the combination of the following parameters: i)
> Big-endian 32-bit, little-endian 32-bit, and little-endian 64-bit
> architecture; ii) Process ID of 0 to 32767, inclusive; iii) All
> RSA Public Key lengths supported by the CA up to and including
> 4096 bits; iv) rnd, nornd, and noreadrnd OpenSSL random file state“
>
>
> This can be empirically tested/compared (as the discussion on the list).
>
> and "The CA has previously been made aware that the Subscriber's
> Private Key has suffered a Key Compromise, such as through the
> provisions of Section 4.9.1.1;"
>
>
> I'm not sure I follow? This would be the CA consulting their own list
> of compromised keys (e.g. as they're required to retain records for)
>
> There are concerns that CAs wouldn’t be able to get the visibility
> into the subscriber’s key generation process to verify this.
>
> For "The CA has previously been made aware that the Subscriber's
> Private Key has suffered a Key Compromise, such as through the
> provisions of Section 4.9.1.1;", can we also clean up the language
> to be clear that the CA cannot issue only for the compromised key?
> The way this is phrased sounds like it could also mean that a CA
> should not issue ANYTHING to a subscriber who previously have a
> key compromise, which I don’t believe is the goal here.
>
> Best,
>
> Karina
>
> *Ka*rina *Sirota* | Security Program Manager 2
>
> Trusted Root Program, Trust Governance and Resilience
>
> /After-hours responses neither required nor expected. /
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On
> Behalf Of *Chris Kemmerer via Servercert-wg
> *Sent:* Friday, April 15, 2022 5:07 PM
> *To:* Martijn Katerbarg <martijn.katerbarg at sectigo.com>; CA/B
> Forum Server Certificate WG Public Discussion List
> <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] [EXTERNAL]-Re: SCXX Ballot
> proposal: Debian Weak keys
>
> Thanks for your suggestion, Martijn. We ourselves wouldn't object
> to this addition, though we'd certainly like to poll the community
> on their thoughts.
>
> We see that the vulnerability you address has been assigned
> https://nvd.nist.gov/vuln/detail/CVE-2022-26320
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2022-26320&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=prmP%2BEnjpTv5UE9elnyOWm9zGi0jQFZ4Pl%2BQhX9%2Fbig%3D&reserved=0>,
> with https://fermatattack.secvuln.info/
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffermatattack.secvuln.info%2F&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XWYdDEfOGcQ5ahAGCyRl7o%2BoJnUjmYsULjoefO%2Fex%2B8%3D&reserved=0>
> looking like the main resource for this issue. We also note (per
> that latter site) that Let's Encrypt has updated Boulder to check
> for this vulnerability
> (https://github.com/letsencrypt/boulder/pull/5853
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fletsencrypt%2Fboulder%2Fpull%2F5853&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sNfdCK05Ti1ahvBy9DSAVROj%2BJKux7GUFB0NS0BC4sg%3D&reserved=0>).
>
> The Debian weak key and ROCA vulnerabilities have been known lo
> these many years (although not all CAs had sufficient safeguards
> in place, and the sections of the BRs provided less than
> comprehensive guidance on what those safeguards should be - hence
> this ballot initiative).
>
> Since CVE-2022-26320 was only published March 14 2022, one
> alternative would be would be to defer a decision on the Fermat
> attack language to another, later ballot, but we again invite
> community input on incorporating this suggestion into our current
> proposed ballot.
>
> One practical question (not addressed in our current language)
> would be the deadline for CAs to add the checks required in this
> ballot, with our thought being to place it in the nearer term
> (some few months after ballot passage/review) but not immediately
> upon adoption of the ballot. This particularly is of interest for
> any changes/checks required for CVE-2022-26320, but in our view
> any deadline should be considered to apply to all vulnerabilities
> addressed in this ballot.
>
> Thanks,
>
> Chris K
>
> On 4/5/2022 4:53 AM, Martijn Katerbarg wrote:
>
> Hi Chris,
>
> I would like to propose an additional check to the proposed
> language so it includes checking for the Close Primes
> vulnerability. For this I’d like to propose we add to 6.1.1.3 (4):
>
>
> “c) In the case of Close Primes vulnerability, the CA SHALL
> reject weak keys identified within 100 rounds using Fermat’s
> factorization method”
>
> Martijn
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org>
> <mailto:servercert-wg-bounces at cabforum.org> *On Behalf Of
> *Chris Kemmerer via Servercert-wg
> *Sent:* Thursday, 31 March 2022 16:43
> *To:* Jaime Hablutzel via Servercert-wg
> <servercert-wg at cabforum.org> <mailto:servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] [EXTERNAL]-Re: SCXX Ballot
> proposal: Debian Weak keys
>
> CAUTION: This email originated from outside of the
> organization. Do not click links or open attachments unless
> you recognize the sender and know the content is safe.
>
> We are pleased to return to discussion of this proposed
> ballot, which we've reprinted immediately below.
>
> Based on the discussion thus far, we've addressed Corey's
> point by adding the *bolded *line re: which modulus/exponents
> a CA MUST check. (We generally agree with Jaime's suggestion
> that CAs /should /check the modulus only but don't see it as
> crucial to explicitly state this in the ballot.)
>
> We've also updated the version in the proposal.
>
> If this ballot proceeds the next available designation would
> be SC55.
>
> Many thanks,
>
> Chris K
>
>
> =====
>
> --- Motion Begins ---
>
>
> This ballot modifies the “Baseline Requirements for the
> Issuance and Management of Publicly-Trusted Certificates” as
> follows, based on Version 1.8.2:
>
>
> Proposed ballot language:
>
>
> /4.9.1.1 Reasons for Revoking a Subscriber Certificate /
>
>
> Replace:
>
>
> 4. The CA is made aware of a demonstrated or proven method
> that can easily compute the Subscriber’s Private Key based on
> the Public Key in the Certificate (such as a Debian weak key,
> see https://wiki.debian.org/SSLkeys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ATNh%2BnLhaXmkh8bFEh6LVti4l5wVi%2FGnnvy2fm32bio%3D&reserved=0>)
>
>
>
> With:
>
>
> 4. The CA is made aware of a demonstrated or proven method
> that can easily compute the Subscriber’s Private Key (such as
> those identified in 6.1.1.3(4)).
>
> ---
>
> /6.1.1.3. Subscriber Key Pair Generation /
>
>
> Replace:
>
>
> The CA SHALL reject a certificate request if one or more of
> the following conditions are met:
>
> 1. The Key Pair does not meet the requirements set forth in
> Section 6.1.5 and/or Section 6.1.6;
> 2. There is clear evidence that the specific method used to
> generate the Private Key was flawed;
> 3. The CA is aware of a demonstrated or proven method that
> exposes the Applicant's Private Key to compromise;
> 4. The CA has previously been made aware that the Applicant's
> Private Key has suffered a Key Compromise, such as through the
> provisions of Section 4.9.1.1;
> 5. The CA is aware of a demonstrated or proven method to
> easily compute the Applicant's Private Key based on the Public
> Key (such as a Debian weak key, see
> https://wiki.debian.org/SSLkeys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ATNh%2BnLhaXmkh8bFEh6LVti4l5wVi%2FGnnvy2fm32bio%3D&reserved=0>).
>
>
>
> With:
>
>
> The CA SHALL reject a certificate request if one or more of
> the following occurs:
>
> 1) The requested Public Key does not meet the requirements set
> forth in Sections 6.1.5 and/or 6.1.6;
> 2) The CA is aware of a demonstrated or proven method that
> exposes the Subscriber's Private Key to compromise;
> 3) The CA has previously been made aware that the Subscriber's
> Private Key has suffered a Key Compromise, such as through the
> provisions of Section 4.9.1.1;
> 4) The Public Key corresponds to an industry demonstrated weak
> Private Key, in particular:
> a) In the case of ROCA vulnerability, the CA SHALL reject keys
> identified by the tools available at
> https://github.com/crocs-muni/roca
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7UfsVU%2BiqjZOWsJ8n2JokRUxQTeiPgzOFX%2FjdMpuuXo%3D&reserved=0>
> or equivalent.
> b) In the case of Debian weak keys
> (https://wiki.debian.org/SSLkeys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ATNh%2BnLhaXmkh8bFEh6LVti4l5wVi%2FGnnvy2fm32bio%3D&reserved=0>),
> the CA SHALL reject at least keys generated by the flawed
> OpenSSL version with the combination of the following parameters:
>
> i) Big-endian 32-bit, little-endian 32-bit, and little-endian
> 64-bit architecture;
> ii) Process ID of 0 to 32767, inclusive;
> iii) All RSA Public Key lengths supported by the CA up to and
> including 4096 bits;
> iv) rnd, nornd, and noreadrnd OpenSSL random file state.
>
> For Debian weak keys not covered above, the CA SHALL take
> actions to minimize the probability of certificate issuance.
>
> *CAs MUST check for Debian weak keys for all RSA modulus
> lengths and exponents that they accept.*
>
> --- Motion Ends ---
>
> =====
>
> On 10/28/2021 3:55 PM, Jaime Hablutzel via Servercert-wg wrote:
>
> It could be helpful to be a little bit more explicit on
> the fact that the required check is against the
> modulus only as it could avoid developers to implement
> this check against full public keys, which can lead to:
>
> 1. Some CAs could unknowingly embark themselves in the
> onerous task of generating the affected key pairs for
> each different public exponent, which is not really
> required.
> 2. Because of the higher amount of work required for
> supporting/maintaining the check in this way, some CAs
> might mistakenly omit checking some subscriber keys,
> e.g. they might have in their blocklists only the
> affected public keys with the public exponent set to
> 65537, even when they (unintentionally) support
> subscriber keys with other values for the public exponent.
>
> On Thu, 28 Oct 2021 at 03:02 Rob Stradling
> <rob at sectigo.com> wrote:
>
> > I think we can merely state that CAs must check for
> Debian weak keys for all RSA modulus lengths and
> exponents that they accept. Using a comparison of the
> modulus (or its hash) is essentially an implementation
> detail that we don’t need to explicitly mandate.
>
> Thanks Corey. That makes sense.
>
> ------------------------------------------------------------------------
>
> *From:*Corey Bonnell
> *Sent:* Wednesday, October 27, 2021 18:43
> *To:* Rob Stradling; Jaime Hablutzel; CA/B Forum
> Server Certificate WG Public Discussion List
> *Cc:* Christopher Kemmerer
> *Subject:* RE: [EXTERNAL]-Re: [Servercert-wg] SCXX
> Ballot proposal: Debian Weak keys
>
> > Hi Jaime. Ooh, you're right! The affected OpenSSL
> versions generate the same predictable moduli
> regardless of the public exponent value.
>
> Yes, that’s great to know; thanks for pointing it out.
>
> > What's the best way to capture all this in the ballot?
>
> I think we can merely state that CAs must check for
> Debian weak keys for all RSA modulus lengths and
> exponents that they accept. Using a comparison of the
> modulus (or its hash) is essentially an implementation
> detail that we don’t need to explicitly mandate.
>
> Thanks,
>
> Corey
>
> *From:* Rob Stradling <rob at sectigo.com>
> *Sent:* Wednesday, October 27, 2021 5:31 AM
> *To:* Jaime Hablutzel <jhablutz at WISEKEY.COM>; CA/B
> Forum Server Certificate WG Public Discussion List
> <servercert-wg at cabforum.org>
> *Cc:* Corey Bonnell <Corey.Bonnell at digicert.com>;
> Christopher Kemmerer <chris at ssl.com>
> *Subject:* Re: [EXTERNAL]-Re: [Servercert-wg] SCXX
> Ballot proposal: Debian Weak keys
>
> Hi Jaime. Ooh, you're right! The affected OpenSSL
> versions generate the same predictable moduli
> regardless of the public exponent value.
>
> So yes, the optimal approach seems to be for CAs to
> use Debian weak key blocklists that are based on only
> the RSA modulus.
>
> Corey's point applies if a CA chooses instead to
> implement a Debian weak key blocklist of (for example)
> SubjectPublicKeyInfos with public exponent 65537.
>
> What's the best way to capture all this in the ballot?
>
> ------------------------------------------------------------------------
>
> *From:*Jaime Hablutzel
> *Sent:* Sunday, October 24, 2021 23:25
> *To:* Rob Stradling; CA/B Forum Server Certificate WG
> Public Discussion List
> *Cc:* Corey Bonnell; Christopher Kemmerer
> *Subject:* Re: [EXTERNAL]-Re: [Servercert-wg] SCXX
> Ballot proposal: Debian Weak keys
>
> Hi, I might be (very) wrong here, but, shouldn’t
> blocklists be based only on the RSA modulus for
> different key sizes so validation implementations
> match the module only irrespective of whatever the
> public exponent is? or does the affected prime
> generation random source seed from the public exponent
> too?
>
> On 22 Oct 2021, at 08:58, Rob Stradling via
> Servercert-wg <servercert-wg at cabforum.org> wrote:
>
> > ...my opinion is that we should introduce a new requirement such that CAs must check for
> Debian weak keys for all RSA modulus lengths and
> exponents that they accept. CAs are uniquely
> positioned to prevent the usage of these weak keys
> in the web PKI, so there is a security benefit in
> mandating such universal checks.
>
> Hi Corey. Yeah, OK. You've persuaded me.
>
> FWIW, my tools at https://github.com/CVE-2008-0166
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_CVE-2D2008-2D0166%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DgZAtYdIgwjZ_F9FpjPlUFmh9SQve9WXOyzZCTDLhsH4%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=11SI7Pny1qyNvMx34GeEnrGJ5U8t6xo%2BdS6dcIyGREM%3D&reserved=0> only
> support 65537 at the moment. I guess I'll just
> have to wait and see if anyone asks for other
> public exponent values to be supported. 🙂
>
> ------------------------------------------------------------------------
>
> *From:* Corey Bonnell
> *Sent:* Tuesday, October 19, 2021 19:48
> *To:* Rob Stradling; Christopher Kemmerer; CA/B
> Forum Server Certificate WG Public Discussion List
> *Subject:* RE: [Servercert-wg] SCXX Ballot
> proposal: Debian Weak keys
>
> Hi Rob,
>
> Comments inline.
>
> > AFAICT, in the affected Debian OpenSSL versions:
>
> - "openssl req -newkey" had a hardcoded public
> exponent of 65537 (see
> https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_req.c-23L768%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DVu5UXlPv7euZNJXCO15ReMLK_k5MyC3YaUliVn6DQcU%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZjC2zw7GWCs4fcgMZjfl6A7oa7Ws5FgVsgPt9TOIku0%3D&reserved=0>).
>
> - "openssl genrsa" defaulted to 65537, but
> provided a "-3" command-line option to use a
> public exponent of 3 instead (see
> https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_genrsa.c%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DMXbwubefERoNQfWd4kC0f7rxRrBl5yB1YZ2Y3OmPQoo%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BVkZ9MX9YerJS91NzUJl0kIMPEGBbiJ%2FHhHwTRw0Oa4%3D&reserved=0>).
>
> As you point out, the command-line tooling bundled
> with OpenSSL 0,9.8 generally restricted the
> allowed exponent. However, the RSA key generation
> API allowed any exponent to be specified [1], so
> it is possible that a custom application passed
> exponent values besides 3 or 65537 to the RSA key
> generation function.
>
> > Are there any good reasons to continue to permit
> the public exponent 3 ?
>
> Judging from Censys, it appears that there are
> some publicly trusted certificates containing RSA
> keys with an exponent of 3, so there will
> presumably be a (minor) ecosystem impact if an
> exponent value of 3 were banned. That being said,
> exponents smaller than 65537 are outside the
> SHOULD-level exponent range since BR v1.1.3 (now
> in section 6.1.6) so perhaps it’s time to consider
> strengthening the SHOULD to a MUST. Probably such
> a change would be outside the scope of this
> ballot, though.
>
> > The "openssl-vulnkey" tool that Debian used to
> ship only provided blocklists for keys with public
> exponents of 65537, so should we take that as a
> sign that CAs needn't perform a Debian weak key
> check when the public exponent is anything other
> than 65537 ?
>
> While the precedent set by accepted remediations
> for incidents surrounding Debian weak keys has
> been for CAs to check the lists distributed in the
> openssl-blacklist Debian package, my opinion is
> that we should introduce a new requirement such
> that CAs must check for Debian weak keys for all
> RSA modulus lengths and exponents that they
> accept. CAs are uniquely positioned to prevent the
> usage of these weak keys in the web PKI, so there
> is a security benefit in mandating such universal
> checks.
>
> Thanks,
>
> Corey
>
> [1]
> https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/crypto/rsa/rsa_gen.c#L78
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_crypto_rsa_rsa-5Fgen.c-23L78%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DBZt9wGuErHLlj4PgA-Q_BWX-TmBE7NrL_QZcjyFCmLs%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642543179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Oth7ho%2BL68o2w6vXRUdwVrgwbOM29wfmFDqGC7iSmXY%3D&reserved=0>
>
> *From:* Rob Stradling <rob at sectigo.com>
> *Sent:* Tuesday, October 19, 2021 11:31 AM
> *To:* Christopher Kemmerer <chris at ssl.com>; CA/B
> Forum Server Certificate WG Public Discussion List
> <servercert-wg at cabforum.org>; Corey Bonnell
> <Corey.Bonnell at digicert.com>
> *Subject:* Re: [Servercert-wg] SCXX Ballot
> proposal: Debian Weak keys
>
> Hi Corey.
>
> AFAICT, in the affected Debian OpenSSL versions:
>
> - "openssl req -newkey" had a hardcoded public
> exponent of 65537 (see
> https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_req.c-23L768%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DVu5UXlPv7euZNJXCO15ReMLK_k5MyC3YaUliVn6DQcU%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=T%2FLmr%2FIypBm5ip5cewpVKYgyu3erniREIZEkchQTYjo%3D&reserved=0>).
>
> - "openssl genrsa" defaulted to 65537, but
> provided a "-3" command-line option to use a
> public exponent of 3 instead (see
> https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/genrsa.c
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__github.com_openssl_openssl_blob_OpenSSL-5F0-5F9-5F8f_apps_genrsa.c%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DMXbwubefERoNQfWd4kC0f7rxRrBl5yB1YZ2Y3OmPQoo%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UuS2bPXQQ5zH5eQtdoP7HMVEcpSVDP7Rjt%2FNItIdygs%3D&reserved=0>).
>
> Are there any good reasons to continue to permit
> the public exponent 3 ?
>
> The "openssl-vulnkey" tool that Debian used to
> ship only provided blocklists for keys with public
> exponents of 65537, so should we take that as a
> sign that CAs needn't perform a Debian weak key
> check when the public exponent is anything other
> than 65537 ?
>
> ------------------------------------------------------------------------
>
> *From:* Servercert-wg
> <servercert-wg-bounces at cabforum.org> on behalf of
> Corey Bonnell via Servercert-wg
> <servercert-wg at cabforum.org>
> *Sent:* 19 October 2021 15:31
> *To:* Christopher Kemmerer <chris at ssl.com>; CA/B
> Forum Server Certificate WG Public Discussion List
> <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] SCXX Ballot
> proposal: Debian Weak keys
>
> CAUTION: This email originated from outside of the
> organization. Do not click links or open
> attachments unless you recognize the sender and
> know the content is safe.
>
> Hi Chris,
>
> Apologies for the late reply. I noticed that the
> current proposed language has no guidance
> regarding RSA exponents. I think it would be
> useful to specify the expectations in this regard
> (whether the CA must check for weak keys for all
> key lengths and exponent combinations
> accepted/supported by the CA, or if checking weak
> key lists for only exponents 3 and 65537 is
> sufficient, etc.).
>
> Thanks,
>
> Corey
>
> *From:* Servercert-wg
> <servercert-wg-bounces at cabforum.org> *On Behalf Of
> *Christopher Kemmerer via Servercert-wg
> *Sent:* Friday, October 15, 2021 10:33 AM
> *To:* Rob Stradling <rob at sectigo.com>; Dimitris
> Zacharopoulos (HARICA) <dzacharo at harica.gr>; CA/B
> Forum Server Certificate WG Public Discussion List
> <servercert-wg at cabforum.org>; Jacob
> Hoffman-Andrews <jsha at letsencrypt.org>
> *Subject:* Re: [Servercert-wg] SCXX Ballot
> proposal: Debian Weak keys
>
> Thank you, Rob, and shall watch for that update.
> Meanwhile we are doing a final-final pass through
> our draft language for clarity and will send it
> early next week.
>
> Chris K
>
> Meanwhile, we've cycled our draft language through
> another review and have made IIRC only one or two
> minor edits for clarity (h/t BenW).
>
> On 10/14/2021 9:49 AM, Rob Stradling wrote:
>
> Today I rediscovered that I'd previously
> generated the RSA-8192 blocklists back in
> December 2009, and that they're still
> available at
> https://secure.sectigo.com/debian_weak_keys/
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fsecure.sectigo.com-252Fdebian-5Fweak-5Fkeys-252F-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987811664-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DBknvgeWEnZ4pvV0PZHrsqaYgYgzgs4wad1Y3lmy1FWk-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DzzVoaIwOBGmJbK59JUU8ZW6-rpOfDM9LW4-DOaggMQQ%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BGMgoeDsxZxjLThXAhw1r9WObqfYZZ8S%2FVVVSyZYUak%3D&reserved=0>.
> When I compared the old and new RSA-8192
> blocklists, I found that ~0.8% of the "rnd"
> keys are different. It looks like, for
> reasons unknown, the "OpenSSL random file
> state" misbehaved occasionally over the 8
> month run that ended recently.
>
> I'll report back once I've regenerated and
> verified the problematic keys.
>
> ------------------------------------------------------------------------
>
> *From:* Rob Stradling <rob at sectigo.com>
> <mailto:rob at sectigo.com>
> *Sent:* 23 September 2021 19:17
> *To:* Christopher Kemmerer <chris at ssl.com>
> <mailto:chris at ssl.com>; Dimitris Zacharopoulos
> (HARICA) <dzacharo at harica.gr>
> <mailto:dzacharo at harica.gr>; CA/B Forum Server
> Certificate WG Public Discussion List
> <servercert-wg at cabforum.org>
> <mailto:servercert-wg at cabforum.org>; Jacob
> Hoffman-Andrews <jsha at letsencrypt.org>
> <mailto:jsha at letsencrypt.org>; Rob
> Stradling<rob at sectigo.com>
> <mailto:rob at sectigo.com>
> *Subject:* Re: [Servercert-wg] SCXX Ballot
> proposal: Debian Weak keys
>
> > BTW, in case it helps, I'm about half way through generating a full set of RSA-8192
> Debian weak keys, which (when complete) I'll
> add to the https://github.com/CVE-2008-0166
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987811664-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DhEYtpXP81bOYFl0bdDSzbg8zxn7gozJ2bXAzE3ZPLwQ-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DCZuzMqYs2tJKnr9PUCkV8xEr-EQLZuEnpygT0nUUNYQ%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=f4ALHzn5E6dxITiOFVpfX4c%2BUAIfgvp669PPLb6BcLk%3D&reserved=0> repositories.
>
> It took nearly 8 months (using just a single
> core of a fairly modest CPU), but it finally
> finished! Repositories updated.
>
> ------------------------------------------------------------------------
>
> *From:* Servercert-wg
> <servercert-wg-bounces at cabforum.org>
> <mailto:servercert-wg-bounces at cabforum.org> on
> behalf of Rob Stradling via Servercert-wg
> <servercert-wg at cabforum.org>
> <mailto:servercert-wg at cabforum.org>
> *Sent:* 13 May 2021 15:42
> *To:* Christopher Kemmerer <chris at ssl.com>
> <mailto:chris at ssl.com>; Dimitris Zacharopoulos
> (HARICA) <dzacharo at harica.gr>
> <mailto:dzacharo at harica.gr>; CA/B Forum Server
> Certificate WG Public Discussion List
> <servercert-wg at cabforum.org>
> <mailto:servercert-wg at cabforum.org>; Jacob
> Hoffman-Andrews <jsha at letsencrypt.org>
> <mailto:jsha at letsencrypt.org>
> *Subject:* Re: [Servercert-wg] SCXX Ballot
> proposal: Debian Weak keys
>
> CAUTION: This email originated from outside of
> the organization. Do not click links or open
> attachments unless you recognize the sender
> and know the content is safe.
>
> > iii) All RSA Public Key lengths supported by the CA up to and including 4096 bits;
>
> > ...
>
> > For Debian weak keys not covered above, the CA SHALL take actions to minimize the
> probability of certificate issuance.
>
> Hi Christopher. What sort of "actions" are
> envisaged here? If a CA is processing a
> certificate request that contains a (for
> example) RSA-4088 public key (i.e., a key size
> not covered by an available Debian weak list),
> either the CA is going to issue the cert or
> they're not. What, concretely, does "minimize
> the probability of certificate issuance"
> actually mean?
>
> Why not remove that "SHALL" sentence and
> change point iii to: "iii) All RSA Public Key
> lengths supported by the CA." ?
>
> BTW, in case it helps, I'm about half way
> through generating a full set of RSA-8192
> Debian weak keys, which (when complete) I'll
> add to the https://github.com/CVE-2008-0166
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987821618-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D34YXT3egxh7Xtc5k5gqy8idcbz9cgokAIz7o8Xwbh94-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DtaqinDAOLRdSvETy9ob78hR_-KPxttqWcUNY_M86mTY%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=km7JdYBArwmQ%2FyoEXSjTlTIkrg9qQ17jeGPvmUWimEk%3D&reserved=0> repositories.
>
> ------------------------------------------------------------------------
>
> *From:* Christopher Kemmerer <chris at ssl.com>
> <mailto:chris at ssl.com>
> *Sent:* 13 May 2021 15:12
> *To:* Rob Stradling <rob at sectigo.com>
> <mailto:rob at sectigo.com>; Dimitris
> Zacharopoulos (HARICA) <dzacharo at harica.gr>
> <mailto:dzacharo at harica.gr>; CA/B Forum Server
> Certificate WG Public Discussion List
> <servercert-wg at cabforum.org>
> <mailto:servercert-wg at cabforum.org>; Jacob
> Hoffman-Andrews <jsha at letsencrypt.org>
> <mailto:jsha at letsencrypt.org>
> *Subject:* Re: [Servercert-wg] SCXX Ballot
> proposal: Debian Weak keys
>
> CAUTION: This email originated from outside of
> the organization. Do not click links or open
> attachments unless you recognize the sender
> and know the content is safe.
>
> Hello,
>
> We deeply appreciate the useful discussion in
> this thread regarding this issue. We
> especially applaud the efforts of HARICA and
> Sectigo to independently generate more
> comprehensive lists of potentially affected
> Debian weak keys. As Rob Stradling observed
> through his crt.sh research (20210107,
> https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgist.github.com-252Frobstradling-252Fa5590b6a13218fe561dcb5d5c67932c5-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987821618-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DQXz4cOmARv-252Fg8-252FJF2NNEW2-252BSbjHJu1pv8X6vjLCx7io-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DEARvfcpJ6O_cJ0KioLW9U0gNj00u2-_njjGSKcTRtE8%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fw0jtGtNYpy%2Fk%2Ffbu0qq4W75umKZL%2FgihNlJhAaHdhw%3D&reserved=0>)
> of the five most utilized algorithm/key size
> populations, two are ECC (so not impacted by
> the Debian weak key issue) and three are RSA
> (2048, 4096, and 3072 bit length, in that order).
>
> As of their most recent messages it appears
> that these two organizations have
> independently generated comprehensive lists
> identifying all RSA-2048 and -4096 bit length
> keys. (We understand RSA-3072 length keys are
> also available.) This offers the possibility
> that complete lists, if accepted as
> authoritative, could be accessed by the
> community to help prevent exploitation of this
> vulnerability.
>
> It was also noted (by the representative from
> Let's Encrypt) that the ROCA vulnerability is
> presently identified through use of a tool
> supported externally. It was suggested that
> this resource be archived in a manner that
> ensures availability. (Our proposed language
> points to "https://github.com/crocs-muni/
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252Fcrocs-2Dmuni-252F-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987831575-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DZQMlATqs-252BM7Vr3aIgjdrH06gaOrkgAPTbMkM4gcSROs-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DgoTnhfES-zV16ifNjJ90Y_GUk39wftGwqMJiZKuw5aY%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dTFDusV%2FMHpFPIr1eWZ8mREATuC5MnZn%2FJ%2BauJtx21c%3D&reserved=0>roca
> or equivalent.")
>
> We think our present ballot language
> (reproduced at the end of this message)
> provides appropriately focused guidance to
> CAs. If available, we'd certainly like to also
> see the HARICA/Sectigo lists (which CAs could
> use for the majority of Debian weak key use
> cases) captured somewhere in this ballot
> language. We are agnostic as to 1) where
> exactly these resources might be maintained
> and 2) where this ballot places directions to
> these resources - an annex to the current
> requirements, a separate CA/BF guidance
> document or within Sections 4.9.1.1/6.1.1.3
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2F4.9.1.1%2F6.1.1.3&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iT2v17IxPRIKft8oE0gZppeY2GN4QR0sDhkA7ydZGNc%3D&reserved=0>.
>
> Our intent is to ensure that 1) clear,
> accurate guidance on CA expectations is
> provided and 2) any resources assisting CAs in
> meeting these expectations are fully
> described, publicly available (somewhere) and
> with reliable links provided. The language
> below, we feel, meets the first requirement.
> We'd appreciate input on how to best meet the
> second. (Note that SSL.com
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__ssl.com_%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3Dj-4qIhXvNMe9dfS8B8CWq0sSP-IOQRNSRmpjiPXIFZw%26m%3DJnxStoHpP62BM2-15Vtby3qBQbCdQrSyCNPjVNH_IS8%26s%3DSGnteTNpPS1X4ickvt5qbC2WDrpValWXK42R9uvwO04%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Md402CkKLuMhPQ2vODsG3LBIbFXj2oMfpwswhqW5s7A%3D&reserved=0> would
> be happy to support the community by hosting
> any of these as publicly accessible resources,
> whether solo or alongside other organizations.)
>
> Chris K
>
> SSL.com
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__ssl.com_%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3Dj-4qIhXvNMe9dfS8B8CWq0sSP-IOQRNSRmpjiPXIFZw%26m%3DJnxStoHpP62BM2-15Vtby3qBQbCdQrSyCNPjVNH_IS8%26s%3DSGnteTNpPS1X4ickvt5qbC2WDrpValWXK42R9uvwO04%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Md402CkKLuMhPQ2vODsG3LBIbFXj2oMfpwswhqW5s7A%3D&reserved=0>
>
> =====
>
> --- Motion Begins ---
>
> This ballot modifies the “Baseline
> Requirements for the Issuance and Management
> of Publicly-Trusted Certificates” as follows,
> based on Version 1.7.4:
>
> Proposed ballot language:
>
> *4.9.1.1 Reasons for Revoking a Subscriber
> Certificate*
>
> Replace:
>
> 4. The CA is made aware of a demonstrated or
> proven method that can easily compute the
> Subscriber’s Private Key based on the Public
> Key in the Certificate (such as a Debian weak
> key, see https://wiki.debian.org/SSLkeys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwiki.debian.org-252FSSLkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987831575-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DpXeTXYoS8oYMQteThIRSdhISQokGG4nL-252BHSymGxAwPg-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DZtytHt-KbbrRxo2oN_oCa2ihhQEPcupL52pOSa3xs9U%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642593164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ez10XaxDaL25e6wSHf48ERSqnbxnd2X4%2FozFwrWaDNA%3D&reserved=0>)
>
>
> With:
>
> 4. The CA is made aware of a demonstrated or
> proven method that can easily compute the
> Subscriber’s Private Key (such as those
> identified in 6.1.1.3(4)).
>
> ---
>
> *6.1.1.3. Subscriber Key Pair Generation*
>
> Replace:
>
> The CA SHALL reject a certificate request if
> one or more of the following conditions are met:
>
> 1. The Key Pair does not meet the requirements
> set forth in Section 6.1.5 and/or Section 6.1.6;
>
> 2. There is clear evidence that the specific
> method used to generate the Private Key was
> flawed;
>
> 3. The CA is aware of a demonstrated or proven
> method that exposes the Applicant's Private
> Key to compromise;
>
> 4. The CA has previously been made aware that
> the Applicant's Private Key has suffered a Key
> Compromise, such as through the provisions of
> Section 4.9.1.1;
>
> 5. The CA is aware of a demonstrated or proven
> method to easily compute the Applicant's
> Private Key based on the Public Key (such as a
> Debian weak key, see
> https://wiki.debian.org/SSLkeys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwiki.debian.org-252FSSLkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987831575-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DpXeTXYoS8oYMQteThIRSdhISQokGG4nL-252BHSymGxAwPg-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DZtytHt-KbbrRxo2oN_oCa2ihhQEPcupL52pOSa3xs9U%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2ByMNXcOE%2FqkZuKvqzEjK18noUoVafR55WJRIDFTieEM%3D&reserved=0>).
>
>
> With:
>
> The CA SHALL reject a certificate request if
> one or more of the following occurs:
>
> 1) The requested Public Key does not meet the
> requirements set forth in Sections 6.1.5
> and/or 6.1.6;
>
> 2) The CA is aware of a demonstrated or proven
> method that exposes the Subscriber's Private
> Key to compromise;
>
> 3) The CA has previously been made aware that
> the Subscriber's Private Key has suffered a
> Key Compromise, such as through the provisions
> of Section 4.9.1.1;
>
> 4) The Public Key corresponds to an industry
> demonstrated weak Private Key, in particular:
>
> a) In the case of ROCA vulnerability, the CA
> SHALL reject keys identified by the tools
> available at
> https://github.com/crocs-muni/roca
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252Fcrocs-2Dmuni-252Froca-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987841531-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DpVWa4-252Fu9mO6gfEAN2FHOMx83i-252FGSUcG-252BfzyDoHm1xKs-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D6j9rei_kmtaqpNr-93i7Jp1C7q5YNaJtJJ2z3Rn5FzE%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Kpr7zVhhPGCAnGS5lP8HBIQsjTCoIrNohPqdsU1PJlE%3D&reserved=0> or
> equivalent.
>
> b) In the case of Debian weak keys
> (https://wiki.debian.org/SSLkeys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwiki.debian.org-252FSSLkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987841531-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DfJSWwzvoeepBzwSexsg-252FFSKZKusdynxlt-252F1gItUiii0-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D7VJmjfUviaQVQ3rIxm7xE-dFcYL1TLUk2yNWY4hFx0U%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2ZaTPeUPtigylDIuwYq0zUYAEC4JyGL4hrminV3rQ%2BI%3D&reserved=0>),
> the CA SHALL reject at least keys generated by
> the flawed OpenSSL version with the
> combination of the following parameters:
>
> i) Big-endian 32-bit, little-endian 32-bit,
> and little-endian 64-bit architecture;
>
> ii) Process ID of 0 to 32767, inclusive;
>
> iii) All RSA Public Key lengths supported by
> the CA up to and including 4096 bits;
>
> iv) rnd, nornd, and noreadrnd OpenSSL random
> file state.
>
> For Debian weak keys not covered above, the CA
> SHALL take actions to minimize the probability
> of certificate issuance.
>
> --- Motion Ends ---
>
> On 1/18/2021 3:34 PM, Rob Stradling wrote:
>
> > I'm mid-way through generating the RSA-4096 keys.
>
> The RSA-4096 private keys and blocklists
> are now in
> https://github.com/CVE-2008-0166/private_keys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fprivate-5Fkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987851488-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3Dt2XnHbMAXRIJHGzz-252BLi4gptSfi957l-252Fkz5fcaUc4PxA-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DiSbz-XCr-uFk_7Y8gJ0DA2ii9QYdRcBI5WcrvGeE55Q%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qhpx0PdMEhqyXSAWlZ6L3TYZNeHK7Q8N2%2BbRCIo%2B14o%3D&reserved=0> andhttps://github.com/CVE-2008-0166/openssl_blocklists
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fopenssl-5Fblocklists-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987851488-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D-252B-252Fmznq3F0GbWZjrE1G08DqSXBOxYTLtIF1l7pLatjoU-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG%25207RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D-tHYY-qeEG6kULte0FSWXNcttvh6n3BUnjh8PTDXi-c%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=72z%2B4M4Kl%2BWZ%2B%2FuZXJFSC262CzC9BJf7NKHKd37n%2FUA%3D&reserved=0>.
>
> The RSA-2048 and RSA-4096 private keys in
> https://github.com/HARICA-official/debian-weak-keys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FHARICA-2Dofficial-252Fdebian-2Dweak-2Dkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987861437-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DFb5kG1Ob413KX19BP-252B37xpIahSiKi2FIZ5NfuZ-252FkuPU-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D_lfhBqavAtNpmBCedDWRhR5JY_praNbAngJx0m7i14E%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FV%2FOPEwTmARBYx8286yAEtZ0kNXq%2Bqw8vo66EkVNqXo%3D&reserved=0> (which
> only covers 2 of the 3 word size /
> endianness combinations) are identical to
> the equivalents in
> https://github.com/CVE-2008-0166/private_keys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fprivate-5Fkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987861437-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DoDDkulWGG70BklQLLMR0GsX-252FRIy20y-252FKtw9gGijGyhE-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DyAkqXLZo2IvXlCZvKvbFvweWp1zicZGNjpQ-S6gHQbY%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wzRI2fBqwnYt%2FItJ3qX1EnqMruvoyr1Fb1IflYPURsQ%3D&reserved=0>.
>
> ------------------------------------------------------------------------
>
> *From:* Dimitris Zacharopoulos (HARICA)
> <dzacharo at harica.gr>
> <mailto:dzacharo at harica.gr>
> *Sent:* 14 January 2021 18:39
> *To:* Rob Stradling <rob at sectigo.com>
> <mailto:rob at sectigo.com>; CA/B Forum
> Server Certificate WG Public Discussion
> List <servercert-wg at cabforum.org>
> <mailto:servercert-wg at cabforum.org>; Jacob
> Hoffman-Andrews <jsha at letsencrypt.org>
> <mailto:jsha at letsencrypt.org>; Christopher
> Kemmerer <chris at ssl.com>
> <mailto:chris at ssl.com>
> *Subject:* Re: [Servercert-wg] SCXX Ballot
> proposal: Debian Weak keys
>
> CAUTION: This email originated from
> outside of the organization. Do not click
> links or open attachments unless you
> recognize the sender and know the content
> is safe.
>
> On 14/1/2021 12:30 π.μ., Rob Stradling wrote:
>
> Thanks Dmitris.
>
> So far I've generated the RSA-2048 and
> RSA-3072 keys using
> https://github.com/CVE-2008-0166/key_generator
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fkey-5Fgenerator-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987871399-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D4kKGwenlWGRmGjkIWofWWWnykgyNAgmJj1knMJ9PFz4-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DNAsWm8iu6UPJcqogRr7ZHylAINg9o87jFWyCbM_GxlE%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qjyWlVO1o%2FrROa3gXqui5d8a9kqQRk22tTx84ZY07%2FM%3D&reserved=0> and
> uploaded them to
> https://github.com/CVE-2008-0166/private_keys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fprivate-5Fkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987871399-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DDS2Fb707J-252BWD3UlBsOMtUWBl-252B5JkoU3S9twMJn8eSps-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DwLahGmkoShePVAd3354Vg-KIUIG_bUnevY1465It5Jk%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=e3lcjB%2F9ZttUW%2FYPEBXLkBWgFf6RLkePGpRIcTNitFk%3D&reserved=0>,
> and I've generated the corresponding
> blocklists and uploaded them to
> https://github.com/CVE-2008-0166/openssl_blocklists
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FCVE-2D2008-2D0166-252Fopenssl-5Fblocklists-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987871399-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DJtYLdAD8pwpvivoIfMXAeEjofoK0FqoijWEb4Sc9OV4-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DNrxlbUT4xWxoifiZhepNwMg-9wFwdQwvVmKKxNVBuk8%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NjtpOmBLveMOTMJiM%2B5tC7elvIFzqDIKW%2FPKl6Si7mY%3D&reserved=0>.
> My RSA-2048 blocklists exactly match
> the ones from the original Debian
> openssl-blacklist package.
>
> I'm mid-way through generating the
> RSA-4096 keys.
>
> Let's compare keys when we're both
> done. 🙂
>
>
> Certainly :-) the RSA-2048 keys already
> match the fingerprints from the
> openssl-blacklist Debian package.
>
> We did this work several months ago but
> never found the time to make it publicly
> available. We managed to break down the
> big task and run jobs in parallel which
> made things a bit more interesting.
>
> It's nice we did this independently, I
> guess it increases the accuracy level of
> the resulted keys :)
>
>
> Cheers,
> Dimitris.
>
> ------------------------------------------------------------------------
>
> *From:* Dimitris Zacharopoulos
> (HARICA) <dzacharo at harica.gr>
> <mailto:dzacharo at harica.gr>
> *Sent:* 13 January 2021 21:49
> *To:* Rob Stradling <rob at sectigo.com>
> <mailto:rob at sectigo.com>; CA/B Forum
> Server Certificate WG Public
> Discussion List
> <servercert-wg at cabforum.org>
> <mailto:servercert-wg at cabforum.org>;
> Jacob Hoffman-Andrews
> <jsha at letsencrypt.org>
> <mailto:jsha at letsencrypt.org>;
> Christopher Kemmerer <chris at ssl.com>
> <mailto:chris at ssl.com>
> *Subject:* Re: [Servercert-wg] SCXX
> Ballot proposal: Debian Weak keys
>
> CAUTION: This email originated from
> outside of the organization. Do not
> click links or open attachments unless
> you recognize the sender and know the
> content is safe.
>
> Dear friends,
>
> HARICA has generated the weak keys
> (RSA 2048 and 4096 bit lengths) from
> the vulnerable openssl package. We
> will generate 3072 bit keys as well
> and add them soon. The methodology is
> described in the following GitHub repo
> along with the produced keys:
>
> 1. https://github.com/HARICA-official/debian-weak-keys
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgithub.com-252FHARICA-2Dofficial-252Fdebian-2Dweak-2Dkeys-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987881346-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D61WsoKxsDa5-252FjBab75Y-252FZG4PbcoE3RVkCWg-252BsfY2Aww-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DdWL9G_dD07M3-kQ4faHXjdMzoGF9wF5hEGlN2IrPwiA%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642643154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wTp7hC4TVyAVCSTNxMHyLDqN%2BKvJkFQCmg%2B6ZTasB3w%3D&reserved=0>
>
> Please review and let us know if you
> spot any issues or problems with our
> approach and methodology.
>
> As always, please use other people's
> work at your own risk.
>
>
> Dimitris.
>
> On 7/1/2021 2:25 μ.μ., Rob Stradling
> via Servercert-wg wrote:
>
> I've used crt.sh to produce a
> survey of key algorithms/sizes in
> currently unexpired,
> publicly-trusted server certificates:
>
> https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgist.github.com-252Frobstradling-252Fa5590b6a13218fe561dcb5d5c67932c5-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987881346-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D4qveGxYahVQ6FbihVosw69bsGUs7hG1ytgI6YLxqYbY-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D0JiuTeERFFPZRGiB5foBRJZ5kJjHk51DCLjQbBVwSxc%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642693143%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zqTIP%2FEEaaEkPpEkebTry5iotrCbskoX36sI2WAkrZY%3D&reserved=0>
>
> The four most popular choices are
> no surprise: RSA-2048, P-256,
> RSA-4096, and P-384.
> openssl-blacklist covers RSA-2048
> and RSA-4096, and ECC keys are
> implicitly not Debian weak keys.
>
> Fifth most popular is RSA-3072,
> with over 3 million unexpired,
> publicly-trusted server certs.
> openssl-blacklist doesn't cover
> RSA-3072, but ISTM that this is a
> key size that CAs will want to permit.
>
> Some of the lesser used key sizes
> are mostly likely due to
> Subscriber typos (e.g., 2408 and
> 3048 were probably intended to be
> 2048, 4048 was probably intended
> to be either 2048 or 4096, etc),
> but some of the other ones look
> like they were deliberately chosen
> (e.g., 2432 is 2048+384). Is it
> worth generating Debian weak
> keys/blocklists for any of these
> key sizes?
>
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fnvlpubs.nist.gov-252Fnistpubs-252FSpecialPublications-252FNIST.SP.800-2D57pt1r5.pdf-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987891313-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DrG1bgcAgL7P3RtCaCJ0cZTcYPkcUhTlsR4J6ulGFgso-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3DzehaaELHzHzxLDM3dCTeAYaSLMufH4svdbHT74RDcq0%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642693143%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0o0Plw5xgK%2BX79E9qnhIhRzI4N1Nieg1wzC1ogUS6as%3D&reserved=0> (Table
> 4, p59) permits RSA-2048 until the
> end of 2030, whereas
> https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pd
> f
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.sogis.eu-252Fdocuments-252Fcc-252Fcrypto-252FSOGIS-2DAgreed-2DCryptographic-2DMechanisms-2D1.2.pdf-26data-3D04-257C01-257Crob-2540sectigo.com-257Ca8c9d97cd4114ebf508708d9930d343d-257C0e9c48946caa465d96604b6968b49fb7-257C0-257C0-257C637702508987891313-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DgCbutfTj362g-252BHqbrbYgcpm5etqbhCvUFpp8E2UYinE-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeuGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM%26r%3D-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY%26m%3DfMDCutmeJbXlHHWIZLMy2UAZB79bm_AVGAAADmUsNAE%26s%3D2FZ19CpL6_a-dWd0zh1d-4HiMpn4pWyZ0lsH3f1k140%26e%3D&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642693143%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=019WU3DYLHSYoFyljNzRrTE97m41TL%2B%2BP8e7ePlsxJA%3D&reserved=0> permits
> RSA-2048 only until the end of
> 2025. It is of course possible
> that quantum computing will render
> RSA obsolete before Subscribers
> need to think about which larger
> RSA keysize they want to migrate
> to; however, it seems prudent to
> also plan for the possibility that
> RSA will survive and that some
> other RSA keysize(s) might become
> popular.
>
> ------------------------------------------------------------------------
>
> *From:* Servercert-wg
> <servercert-wg-bounces at cabforum.org>
> <mailto:servercert-wg-bounces at cabforum.org> on
> behalf of Rob Stradling via
> Servercert-wg
> <servercert-wg at cabforum.org>
> <mailto:servercert-wg at cabforum.org>
> *Sent:* 06 January 2021 16:08
> *To:* Jacob Hoffman-Andrews
> <jsha at letsencrypt.org>
> <mailto:jsha at letsencrypt.org>;
> Christopher Kemmerer
> <chris at ssl.com>
> <mailto:chris at ssl.com>; CA/B Forum
> Server Certificate WG Public
> Discussion List
> <servercert-wg at cabforum.org>
> <mailto:servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg]
> SCXX Ballot proposal: Debian Weak keys
>
> CAUTION: This email originated
> from outside of the organization.
> Do not click links or open
> attachments unless you recognize
> the sender and know the content is
> safe.
>
>
>
>
> _______________________________________________
>
> Servercert-wg mailing list
>
> Servercert-wg at cabforum.org
>
> https://lists.cabforum.org/mailman/listinfo/servercert-wg <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Ckarina.sirota%40microsoft.com%7C94d75ad129bc49ce855a08da1f2c38b0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637856574642693143%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D82FfVq0lK9ogBytNGrkTC6y6RsOYiQXJ09%2FZB92chU%3D&reserved=0>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220504/103ef57a/attachment-0001.html>
More information about the Servercert-wg
mailing list