[Servercert-wg] SC-59 Weak Key Guidance v.2 - Discussion Period

Clint Wilson clintw at apple.com
Thu Jul 6 17:56:14 UTC 2023


Hi Mads,

The current text in the BRs states:
"The CA is aware of a demonstrated or proven method to easily compute the Applicant's Private Key based on the Public Key (such as a Debian weak key, see <https://wiki.debian.org/SSLkeys>).”

I don’t see where/how this limits the scope of the requirement to any subset of possible Debian weak keys. That is to say, I don’t think the proposed ballot text practically impacts the need for a CA to already have been identifying all possible Debian weak keys for all key sizes supported by the CA. If anything, it seems the current requirement is broader, and therefore more restrictive, than the updated requirement in this ballot, which sets forth four specific requirements which all must be met in order for the CA to be required to reject the Debian weak key.

I realize the discussion period has closed for this ballot, but wanted to share this view as I may have missed some important point or context which has lead to this difference of interpretation.

Cheers,
-Clint

> On Jul 5, 2023, at 11:32 PM, Mads Egil Henriksveen <Mads.Henriksveen at buypass.no> wrote:
> 
> From my point of view the proposed ballot text requires that a CA must be able to identify all possible (theoretical?) Debian weak keys for all key sizes supported by the CA. In practice this would mean that we will have to limit the supported key sizes to the those were it’s feasible to identify such keys (e.g. 2048, 4096 bits RSA – as defined in available tools). This is possible, but not optimal for us. If the Debian weak key requirement will be removed or loosened up later, we could revert the supported key sizes again and this would be confusing for our Subscribers and the market.
>  
> I would therefore prefer that we decide how we would like the treatment of Debian weak keys (for all key sizes) should be in the future now - before the ballot is finalized. I am in favor of CAs checking for vulnerable keys, but not if the risk of using such keys is mostly theoretical. 
>  
> Regards
> Mads 
>  
> From: Servercert-wg <servercert-wg-bounces at cabforum.org <mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Wayne Thayer via Servercert-wg
> Sent: Thursday, July 6, 2023 12:40 AM
> To: Clint Wilson <clintw at apple.com <mailto:clintw at apple.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>>
> Subject: Re: [Servercert-wg] SC-59 Weak Key Guidance v.2 - Discussion Period
>  
>  
> On Wed, Jul 5, 2023 at 2:15 PM Clint Wilson via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
> I agree with the ballot author(s) and endorsers. This ballot is focused on addressing gaps in the current BRs related to overall weak key guidance (not just Debian weak key checks). The topic of removing the requirement for Debian weak key checking is separate from what I understand the intent and goal of this ballot to ever have been and should be addressed in its own ballot. 
>  
> Is the concern from CAs that the Debian weak key requirements in this ballot are meaningfully different than what they’re doing today, and they’d like to avoid doing that work? If so, can you explain what the difference(s) is and what impact it’s expected to have for your CA? 
>  
>  
> I don't want to speak for Christophe, but the proposed requirements for checking Debian weak keys are clearly more prescriptive and will at a minimum require any diligent CA to evaluate their implementation to verify compliance. I don't think it's unreasonable to assume that some CAs will need to make changes to fully comply. Given the debate about the value of this requirement, moving ahead is a suboptimal use of CA resources.
>  
> Suggestion: Perhaps the specifics could be removed from the Debian weak keys list item in this ballot and deferred to a future ballot that either completely removes, or adds the desired detail to the requirement?
>  
> Thanks,
>  
> Wayne
>  
> FWIW my read of the current situation is that I don’t think there’s consensus to remove Debian weak key checks at this time, but I do think there’s at least rough consensus that it’s a topic worth discussing/pursuing.
>  
> Thanks,
> -Clint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230706/89f93e71/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230706/89f93e71/attachment.p7s>


More information about the Servercert-wg mailing list