[Servercert-wg] SC-59 Weak Key Guidance v.2 - Discussion Period

Thu Jul 6 06:32:20 UTC 2023

From my point of view the proposed ballot text requires that a CA must be able to identify all possible (theoretical?) Debian weak keys for all key sizes supported by the CA. In practice this would mean that we will have to limit the supported key sizes to the those were it’s feasible to identify such keys (e.g. 2048, 4096 bits RSA – as defined in available tools). This is possible, but not optimal for us. If the Debian weak key requirement will be removed or loosened up later, we could revert the supported key sizes again and this would be confusing for our Subscribers and the market.

I would therefore prefer that we decide how we would like the treatment of Debian weak keys (for all key sizes) should be in the future now - before the ballot is finalized. I am in favor of CAs checking for vulnerable keys, but not if the risk of using such keys is mostly theoretical.

Regards
Mads

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Thursday, July 6, 2023 12:40 AM
To: Clint Wilson <clintw at apple.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] SC-59 Weak Key Guidance v.2 - Discussion Period

On Wed, Jul 5, 2023 at 2:15 PM Clint Wilson via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:
I agree with the ballot author(s) and endorsers. This ballot is focused on addressing gaps in the current BRs related to overall weak key guidance (not just Debian weak key checks). The topic of removing the requirement for Debian weak key checking is separate from what I understand the intent and goal of this ballot to ever have been and should be addressed in its own ballot.

Is the concern from CAs that the Debian weak key requirements in this ballot are meaningfully different than what they’re doing today, and they’d like to avoid doing that work? If so, can you explain what the difference(s) is and what impact it’s expected to have for your CA?

I don't want to speak for Christophe, but the proposed requirements for checking Debian weak keys are clearly more prescriptive and will at a minimum require any diligent CA to evaluate their implementation to verify compliance. I don't think it's unreasonable to assume that some CAs will need to make changes to fully comply. Given the debate about the value of this requirement, moving ahead is a suboptimal use of CA resources.

Suggestion: Perhaps the specifics could be removed from the Debian weak keys list item in this ballot and deferred to a future ballot that either completely removes, or adds the desired detail to the requirement?

Thanks,

Wayne

FWIW my read of the current situation is that I don’t think there’s consensus to remove Debian weak key checks at this time, but I do think there’s at least rough consensus that it’s a topic worth discussing/pursuing.

Thanks,
-Clint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230706/a0b293ee/attachment-0001.html>