The BRs, s4.9.1.1, state that a CA has up to five days to revoke a certificate where:
> The CA is made aware of a demonstrated or proven method that exposes the > Subscriber's Private Key to compromise, methods have been developed that > can easily calculate it based on the Public Key (such as a Debian weak > key, see http://wiki.debian.org/SSLkeys), or if there is clear evidence > that the specific method used to generate the Private Key was flawed. My intuition is that this clause is meant to encompass key generation flaws such as ROCA, in which you can identify "weak" keys by the properties of their public key. Such "weak" keys may still take some time to recover the private key given the public key, however the usual cryptographic security guarantees cannot be assumed to apply. However, the specific example given in the BRs, that of Debian weak keys, does not fit the general pattern above. As far as I am aware, there is no way to identify a Debian weak key purely by examining the properties of the public key. Debian weak keys can (only) be identified by referring to a list of keys generated using the flawed technique. Whilst you can, in theory, provide such a lookup table without also providing the private keys themselves, in practice anyone who has a lookup table will also have (access to) the full private key material. The problem is that a private key which is, for all intents and purposes, public information, is a compromised key, and should presumably come under the 24 hour revocation deadline part of s4.9.1.1. However, a Debian weak key is *explicitly* listed as coming under the five day revocation deadline. Therefore, the question I'm asking is: should Mozilla (aka the community and CA module owner and peers) make a policy decision to treat certificates issued with a known Debian weak key differently to that of the BRs, and insist on revocation within 24 hours (as a compromised key) rather than within five days (as a "Debian weak key")? Thanks, - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
