On Thu, 8 Sep 2022 13:44:42 +0000 "'Rob Stradling' via dev-security-policy@mozilla.org" <dev-security-policy@mozilla.org> wrote:
> I think the best approach is for CAs to use some sort of normalized > form when performing key checks. For example: always set the public > exponent to 65537 before adding an RSA public key to a blocklist (or > before checking if it's already blocked); and always convert the EC > point to the uncompressed form before adding an EC public key to a > blocklist (or before checking if it's already blocked). What I do in badkeys is that I don't blocklist keys, but values. Modulus for RSA, x coordinate for EC. For EC this makes me not worry about any encoding issues, and the x coordinate is enough to uniquely identify a key. For RSA there's a simple mathematical reason: If you have two keys with the same N and different e, and one key is broken, then the other is automatically broken as well (because if you know d you can factor N and this calculate any other key with the same N and a different e). The debian bug is a good example why this is a good idea: You can create RSA keys with e=3 with that old openssl version, the default is e=65537. If you block whole keys and you would want to consider that you'd need to double the number of keys to block. But if you block the modulus you already have that case covered. -- Hanno Böck https://hboeck.de/ -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220909115432.68e42ec6%40computer.
