Making a contact list is not a problem, making it public needs a bit of thought.
On Wed, Feb 15, 2012 at 4:37 PM, Ondrej Mikle <[email protected]> wrote: > On 02/15/2012 08:19 PM, Peter Eckersley wrote: >> On Tue, Feb 14, 2012 at 06:11:49PM -0800, Peter Eckersley wrote: >> >> This seems consistent with Nadia Heninger's claim that these are >> exclusively routers, VPN devices and other embedded systems: >> >> https://www.freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs >> >> Apologies for panicking any CAs over this, it seems as though router and VPN >> manufacturers will have responsibility for responding to this problem. > > Don't beat yourself over it :-) With all due respect to Lenstra et al. (the > work > they did was good), the data originally provided by them made the case > (unintentionally) sound scarier than it is. > > Though the idea to make a public "CA security email address contact list" > would > be still nice. For example, I've run into a dead-end when reporting > yet-unknown > certs with weak 512-bit keys with the right KU and EKU extensions for code > signing to a CA (it was around the time when malware signed by factorized keys > became rampant; the CA in question was trusted by Mozilla and Microsoft). The > only officially listed contact did not respond at all (I guess only disclosure > in a list made them to actually revoke them weeks later). > > Also, I'd like to add a comment on keys shared by "often uninvolved parties". > I > had a discussion with Ralph Holz about our results in key-sharing and we > agreed > that in many cases, it is really hard to find out whether parties are involved > or not (meaning: lot of manual checking of financial registries and whatnot; > hard to automatize). Nevertheless, there are e.g. VPS hostings that simply > copy > over installation image and do not change keys. > > There is also some key-sharing among RAs and CAs in CA-certs (with different > policies stated in CPS for the products), an example (full graph of such certs > is still on my TODO list): > > -----BEGIN CERTIFICATE----- > MIIFAzCCA+ugAwIBAgIQTM1KmltFEyGMz5AviytRcTANBgkqhkiG9w0BAQUFADCB > lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug > Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho > dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt > SGFyZHdhcmUwHhcNMDYwOTE4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBxMQswCQYD > VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT > YWxmb3JkMRowGAYDVQQKExFDb21vZG8gQ0EgTGltaXRlZDEXMBUGA1UEAxMOUG9z > aXRpdmVTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9T3lY > IpPJKD5SEQAvwKkgitctVR4Q57h/4oYqpOxe6eSSWJZUDfMXukGeFZFV78LuACAY > RYMm3yDMPbOhEzEKIVx5g3mrJBVcVvC0lZih2tIb6ha1y7ewwVP5pEba8C4kuGKe > joteK1qWoOpQ6Yj7KCpNmpxIT4O2h65Pxci12f2+P9GnncYsEw3AAcezcPOPabuw > PBDf6wkAhD9u7/zjLbTHXRHM9/Lx9uLjAH4SDt6NfQDKOj32cuh5JaYIFveriP9W > XgkXwFqCBWI0KyhIMpfQhAysExjbnmbHqhSLEWlN8QnTul2piDdi2L8Dm53X5gV+ > wmpSqo0HgOqODvMdAgMBAAGjggFuMIIBajAfBgNVHSMEGDAWgBShcl8mGyiYQ5Vd > BzfVhZadS9LDRTAdBgNVHQ4EFgQUuMoR6QYxedvDlMboGSq8uzUWMaQwDgYDVR0P > AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwewYDVR0fBHQwcjA4oDagNIYy > aHR0cDovL2NybC5jb21vZG9jYS5jb20vVVROLVVTRVJGaXJzdC1IYXJkd2FyZS5j > cmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9VVE4tVVNFUkZpcnN0LUhh > cmR3YXJlLmNybDCBhgYIKwYBBQUHAQEEejB4MDsGCCsGAQUFBzAChi9odHRwOi8v > Y3J0LmNvbW9kb2NhLmNvbS9VVE5BZGRUcnVzdFNlcnZlckNBLmNydDA5BggrBgEF > BQcwAoYtaHR0cDovL2NydC5jb21vZG8ubmV0L1VUTkFkZFRydXN0U2VydmVyQ0Eu > Y3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAdtOf5GEhd7fpawx3jt++GFclsE0kWDTGM > MVzn2odkjq8SFqRaLZIaOz4hZaoXw5V+QBz9FGkGGM2sMexq8RaeiSY9WyGN6Oj5 > qz2qPMuZ8oZfiFMVBRflqNKFp05Jfdbdx4/OiL9lBeAUtTF37r0qhujop2ot2mUZ > jGfibfZKhWaDtjJNn0IjF9dFQWp2BNStuY9u3MI+6VHyntjzf/tQKvCL/W8NIjYu > zg5G8t6P2jt9HpOs/PQyKw+rAR+lQI/jJJkfXbKqDLnioeeSDJBLU30fKO5WPa8Y > Z0nf1R7CqJgrTEeDgUwuRMLvyGPui3tbMfYmYb95HLCpTqnJUHvi > -----END CERTIFICATE----- > > -----BEGIN CERTIFICATE----- > MIIE0DCCA7igAwIBAgIQMKeebbHpGVqxyFDTln1j1TANBgkqhkiG9w0BAQUFADBv > MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk > ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF > eHRlcm5hbCBDQSBSb290MB4XDTA1MDcxNDAwMDAwMFoXDTE5MDcwOTE4MTkyMlow > dTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl > cnNleSBDaXR5MSYwJAYDVQQKEx1Qb3NpdGl2ZSBTb2Z0d2FyZSBDb3Jwb3JhdGlv > bjETMBEGA1UEAxMKTGl0ZVNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC > AQoCggEBAL1PeVgik8koPlIRAC/AqSCK1y1VHhDnuH/ihiqk7F7p5JJYllQN8xe6 > QZ4VkVXvwu4AIBhFgybfIMw9s6ETMQohXHmDeaskFVxW8LSVmKHa0hvqFrXLt7DB > U/mkRtrwLiS4Yp6Oi14rWpag6lDpiPsoKk2anEhPg7aHrk/FyLXZ/b4/0aedxiwT > DcABx7Nw849pu7A8EN/rCQCEP27v/OMttMddEcz38vH24uMAfhIO3o19AMo6PfZy > 6HklpggW96uI/1ZeCRfAWoIFYjQrKEgyl9CEDKwTGNueZseqFIsRaU3xCdO6XamI > N2LYvwObndfmBX7CalKqjQeA6o4O8x0CAwEAAaOCAWAwggFcMB0GA1UdDgQWBBS4 > yhHpBjF528OUxugZKry7NRYxpDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgw > BgEB/wIBATARBglghkgBhvhCAQEEBAMCAgQwewYDVR0fBHQwcjA4oDagNIYyaHR0 > cDovL2NybC5jb21vZG9jYS5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmww > NqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BZGRUcnVzdEV4dGVybmFsQ0FS > b290LmNybDCBhgYIKwYBBQUHAQEEejB4MDsGCCsGAQUFBzAChi9odHRwOi8vY3J0 > LmNvbW9kb2NhLmNvbS9BZGRUcnVzdFVUTlNlcnZlckNBLmNydDA5BggrBgEFBQcw > AoYtaHR0cDovL2NydC5jb21vZG8ubmV0L0FkZFRydXN0VVROU2VydmVyQ0EuY3J0 > MA0GCSqGSIb3DQEBBQUAA4IBAQBC6Axe81lrom4vHWzOmzz+QYj/ADLgK8RDWDbI > QHwZcNXyYJPz7kmOcpAbayWK1yAzGr4JPiKP3z86voZ56MpIfOt0eKpxKBUdXtsV > P1XOLeKbmHDhcjxZjRYRIi2e1dXHOAAlF/abnGSsR/eCo/4RRf9FcCZPgvBx1Kin > 94eVLE9rI2JwuUpDnogyo+EHMTUWIdtCdtsLFP1IY1JCdfZCFph/kW+FLdiQ8DOr > nJkl8PP6wL2aXDnnniFcBMa9rqB/ib5buMRAO+nJVv28mJkggodDRpZXFp+OGTIU > WjEZgqr9NaoNZCZpyfZxPsOFYzoxLYEmJs3AJHxkhIHg6YQU > -----END CERTIFICATE----- > > Ondrej -- Website: http://hallambaker.com/
