that (claim
to) hold alternative, more compact checking formats for the same key material.
From: Wayne Thayer
Sent: 17 April 2024 00:46
To: Rob Stradling
Cc: Clint Wilson ; CA/B Forum Server Certificate WG Public
Discussion List
Subject: Re: [Servercert-wg] Compro
On Tue, Apr 16, 2024 at 3:23 PM Rob Stradling wrote:
> > Rob Stradling: I would like to import your repo to
> github.com/cabforum/Debian-weak-keys. May I have your permission to do so?
>
> Hi Wayne. I put together the repositories at
> https://github.com/CVE-2008-0166 a few years ago with the
_
From: Servercert-wg on behalf of Wayne
Thayer via Servercert-wg
Sent: 12 April 2024 20:41
To: Clint Wilson
Cc: ServerCert CA/BF
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
CAUTION: This email originated from outside of the organization. Do not c
ert-wg
mailto:servercert-wg@cabforum.org>>
Sent: Friday, April 12, 2024 11:35:42 PM
To: Clint Wilson mailto:cli...@apple.com>>; ServerCert CA/BF
mailto:servercert-wg@cabforum.org>>
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
I've updated https: //github. com/wthayer/
t; of keys, what changes are expected then?
>
> Regards,
> Tomas
>
>
> --
> *From:* Servercert-wg on behalf of
> Wayne Thayer via Servercert-wg
> *Sent:* Friday, April 12, 2024 11:35:42 PM
> *To:* Clint Wilson ; ServerCert CA/BF <
> servercert-wg@cabforum.org>
> *Subject
Thanks Wayne for your efforts! I like the current wording very much.
Kind regards
Roman
From: Servercert-wg On Behalf Of Wayne
Thayer via Servercert-wg
Sent: Freitag, 12. April 2024 23:36
To: Clint Wilson ; ServerCert CA/BF
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
vercert-wg] Compromised/Weak Keys Ballot Proposal
I've updated https: //github. com/wthayer/servercert/pull/1/files as follows to
exclude large key sizes: In the case of Debian weak keys vulnerability (https:
//wiki. debian. org/SSLkeys)), the CA SHALL reject all keys found at https:
//github. co
I've updated https://github.com/wthayer/servercert/pull/1/files as follows
to exclude large key sizes:
In the case of Debian weak keys vulnerability (
> https://wiki.debian.org/SSLkeys)), the CA SHALL reject all keys found at
> https://github.com/cabforum/debian-weak-keys/ for each key type (e.g.
Hi Wayne,
That was indeed my intent, but I’m happy with the proposal either way.
Thank you,
-Clint
> On Apr 12, 2024, at 12:33 PM, Wayne Thayer wrote:
>
> Thank you Clint and Aaron, this is helpful. Here is what I propose:
>
>> In the case of Debian weak keys vulnerability
>>
Thank you Clint and Aaron, this is helpful. Here is what I propose:
In the case of Debian weak keys vulnerability ([
> https://wiki.debian.org/SSLkeys)]), the CA SHALL reject all keys found at
> [https://github.com/cabforum/debian-weak-keys/] for each key type (e.g.
> RSA, ECDSA) and size listed
Hi Aaron,
Your proposed phrasing sounds good to me and matches what I had in mind as the
end result of the changes represented in Set 1, just structured slightly
differently.
Cheers,
-Clint
> On Apr 11, 2024, at 9:47 AM, Aaron Gable wrote:
>
> On Thu, Apr 11, 2024 at 9:12 AM Clint Wilson
On Thu, Apr 11, 2024 at 9:12 AM Clint Wilson via Servercert-wg <
servercert-wg@cabforum.org> wrote:
> In other words, I believe it satisfactory to establish a constrained set
> of Debian weak keys which CAs must block (rather than leaving the
> requirement fully open-ended), but I don’t believe
08-0166/private_keys are correctly encoded.
>>>
>>> > * Roman Fischer suggested that we limit the requirement to check Debian
>>> > weak keys only with sizes up to RSA 4096 under the logic that no one
>>> > would “accidentally” create an 8192 bit RSA key on a syste
e 8192-bit RSA Debian weak keys.
>
> --
> *From:* Servercert-wg on behalf of
> Wayne Thayer via Servercert-wg
> *Sent:* 05 April 2024 23:47
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg@cabforum.org>
> *
<mailto:servercert-wg-boun...@cabforum.org>> on behalf of Wayne Thayer via
> Servercert-wg mailto:servercert-wg@cabforum.org>>
> Sent: 05 April 2024 23:47
> To: CA/B Forum Server Certificate WG Public Discussion List
> mailto:servercert-wg@cabforum.org>>
> Subject: Re
bit RSA Debian weak keys.
From: Servercert-wg on behalf of Wayne
Thayer via Servercert-wg
Sent: 05 April 2024 23:47
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
CAUTION: This email originated from outside of the or
Two new alternatives have been proposed in addition to the one I proposed
below:
* Aaron Gable commented in the PR with a suggestion that we require CAs to
reject any key found in Hanno Bock's repository at
https://github.com/badkeys/debianopenssl. This includes RSA
1024/2048/3072/4096 and EC
?
From: Servercert-wg On Behalf Of Wayne
Thayer via Servercert-wg
Sent: Freitag, 29. März 2024 00:14
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
There was further discussion of this ballot proposal on today's
There was further discussion of this ballot proposal on today's
teleconference. It was suggested that rather than omitting any reference to
Debian weak keys, the ballot should retain the current language.
Unfortunately, the ballot restructures the language in such a way that this
is challenging.
was identified).
Regards
Mads
From: Servercert-wg On Behalf Of Roman
Fischer via Servercert-wg
Sent: Monday, March 25, 2024 9:06 AM
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
I would propose a pragmatic approach: Limit
Thayer via Servercert-wg
Sent: Freitag, 15. März 2024 19:20
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
On yesterday's SCWG teleconference, Mads suggested that a way forward would be
to leave the existing requirements
On yesterday's SCWG teleconference, Mads suggested that a way forward would
be to leave the existing requirements in place for Debian weak keys. I've
interpreted that to mean that we would just remove references to Debian,
resulting in this: https://github.com/wthayer/servercert/pull/1/files
I'm
FWIW, I think in the recent years, it was mostly security researchers
that attempted to request certificates with Debian weak keys to test if
a CA was properly blocking them.
If an Applicant uses an outdated OS that generates weak keys, imagine
the actual web server or other software that
Hi Clint,
Thank you for your response. Unfortunately, it leads me to the conclusion
that there is not a path forward and we're stuck with the status quo.
Having said that, I'll reply to a few of your points below and encourage
others to do the same if there is a desire to move forward with an
e alright with removing the debian weak key check requirement itself. But
>>> calling it out explicitly as an excempt, I feel is a step too much.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Martijn
>>>
>>>
>>>
>
t;> even be alright with removing the debian weak key check requirement itself.
>> But calling it out explicitly as an excempt, I feel is a step too much.
>>
>>
>>
>> Regards,
>>
>> Martijn
>>
>>
>>
>> *From: *Wayne Thayer
>>
February 2024 at 17:21
> *To: *Martijn Katerbarg
> *Cc: *CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg@cabforum.org>
> *Subject: *Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
>
> CAUTION: This email originated from outside of the organiz
uary 2024 at 17:21
To: Martijn Katerbarg
Cc: CA/B Forum Server Certificate WG Public Discussion List
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize t
t; *To:* Tom Zermeno
> *Cc:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg@cabforum.org>; Martijn Katerbarg <
> martijn.katerb...@sectigo.com>
> *Subject:* Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
>
>
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
You don't often get email from wtha...@gmail.com <mailto:wtha...@gmail.com> .
Learn why this is important <https://aka.ms/LearnAboutSenderIdentification>
Tom,
I had originally placed the Debi
>
> Tom
>
>
>
> *From:* Servercert-wg *On Behalf Of
> *Wayne
> Thayer via Servercert-wg
> *Sent:* Friday, February 23, 2024 11:18 AM
> *To:* Martijn Katerbarg
> *Cc:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg@cabforum.org&
te WG Public Discussion List
mailto:servercert-wg@cabforum.org> >
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
r them (anymore)?
>
>
> Regards,
>
> Martijn
>
>
>
> *From: *Servercert-wg on behalf of
> Wayne Thayer via Servercert-wg
> *Date: *Thursday, 22 February 2024 at 20:01
> *To: *CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg@cabforum.or
Date: Thursday, 22 February 2024 at 20:01
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize
I am seeking a second endorser for this proposal. Below is a draft of the
ballot language.
Thanks,
Wayne
**Ballot SC-XX: Compromised / Weak Keys**
This ballot updates BR section 6.1.1.3 to address two issues:
First, the requirements placed on CAs to reject a
Thank you fo the feedback Aaron. I agree with both points you made in the
PR and have updated it to reflect your suggestions.
- Wayne
On Mon, Feb 12, 2024 at 12:27 PM Aaron Gable wrote:
> Thank you Wayne! I think this gets close to the sweet spot for me,
> personally. I've left two small
Thank you Wayne! I think this gets close to the sweet spot for me,
personally. I've left two small comments on the ballot, but on the whole I
think I like this approach.
Thanks again,
Aaron
On Mon, Feb 12, 2024 at 8:18 AM Wayne Thayer via Servercert-wg <
servercert-wg@cabforum.org> wrote:
>
Following up from the last SCWG teleconference, I've reviewed the feedback
from the discussion [1] and voting [2] periods for ballot SC-59 Weak Key
Guidance, along with the prior discussions on the "made aware" language in
section 6.1.1.3 [3] and I would like to propose the following Baseline
38 matches
Mail list logo
