On 15/02/12 02:11, Peter Eckersley wrote:
A team lead by Arjen Lenstra used a new (not yet published) Observatory scan
to find tens of thousands of TLS servers with readily factorizable weak keys:
https://eff.org/deeplinks/2012/02/researchers-ssl-observatory-cryptographic-vulnerabilities
We will be working to try to let the affected server operators know that they
need to make new keys. We will also try to contact the CAs that issued
certificates for vulnerable keys, though in many cases this is hard to do in
bulk, because CA certificates do not contain email addresses :(.
I know there are many employees of CAs on this list. Please reply to Dan and
I privately if you have a good contact address for your CA. It would be even
more helpful if the CA-Browser Forum could send us a dictionary that maps
either Issuer strings or AKIDs to contact email addresses.
I'm fairly sure the CAB Forum does not have that information, at least
not readily to hand.
Mozilla has a database of contacts for each of the roots in our store,
which may provide the information you need. I'm not certain we would be
at liberty to make it available to you for privacy reasons (it depends
on what was said when the data was collected) but if that's not
possible, we may be able to send alerting email on your behalf.
Please contact Kathleen Wilson <kwilson at mozilla dot com> to enquire
about this possibility. I'm not sure she reads this list, so she'll need
the above background info.
Gerv
