On Wed, Mar 11, 2020 at 10:46:05AM -0700, Chris Kemmerer via dev-security-policy wrote:
> On Tuesday, March 10, 2020 at 8:44:49 PM UTC-5, Matt Palmer wrote:
> > On Tue, Mar 10, 2020 at 01:48:49PM -0700, Chris Kemmerer via dev-security-policy wrote:
> > > For the purpose of identifying whether a Private Key is weak, SSL.com uses
> > > a set of Debian weak keys that was provided by our CA software vendor as
> > > the basis for our blacklist.
> >
> > I think it's worth getting additional, *very* detailed, information from
> > your CA software vendor as to where *they* got their Debian weak key list
> > from. That appears to be the fundamental breakdown here -- you relied on a
> > third-party to give you good service, and they didn't. So I think that
> > digging into your vendor's practices is an important line of enquiry to go
> > down.
>
> As mentioned on our report, we used that list as a basis, and paid
> attention to augment it with other weak keys from available blacklists,
So presumably if there are other Mozilla-trusted CAs using the same CA
vendor, who *are* doing the bare minimum and just using the CA vendor's key
list, they're even more vulnerable to a potential misissuance. As you
mentioned that your CA software vendor does read this list, I *really* hope
they speak up soon so we can figure out how they got their key list.
> weak keys from available blacklists, even for the ROCA vulnerability.
Sidenote: my understanding of ROCA is that it is of a different form to the
Debian weak key problem, in that you can't a priori enumerate ROCA-impacted
keys, but can only identify them as you find them. As such, my
understanding is that there isn't, and in fact *cannot*, be a comprehensive
"blacklist", as such, of keys affected by ROCA.
Is your understanding of the ROCA vulnerability different to my description
above, and if not, can you explain how a "blacklist"-based approach is a
suitable mitigation for avoiding issuance of certificates using
ROCA-impacted private keys?
(Conversely, if it *is* possible get a comprehensive list of ROCA-impacted
keys, I know what I'm doing this weekend...)
> For what it's worth, we believe that the current language in the BRs could
> be less ambiguous as far as the Debian weak keys are concerned. For
> example, it seems that the community's expectations are for CAs to detect
> and block weak Debian keys generated by vulnerable RNG using OpenSSL in
> popular architectures.
The problem with using the argument that "the BRs are ambiguous" to try and
defend a breach of them is that there are always potential ambiguities in
all language -- in many ways, "ambiguity is in the eye of the beholder"
("ambiguer"?). My understanding of the consensus from past discussions on
this list is that if a CA believes there is an ambiguity in the BRs, the
correct action is to raise that in the CA/B Forum *before* they fall foul of
it.
CAs should be reading the BRs, as I understand it, in a "defensive" mode,
looking for requirements that could be read multiple ways, and when they are
found, the CA needs to ensure either that they are complying with the
strictest possible reading, or else bringing the ambiguity to the attention
of the CA/B Forum and suggesting less ambiguous wording.
At any rate, it would be helpful to know what, precisely, SSL.com's
understanding of this requirement of the BRs prior to the commencement of
this incident. Can you share this with us? Presumably SSL.com did a
careful analysis of all aspects of the BRs, and came to a conclusion as to
precisely what was considered "compliant". With regards to this
requirement, what was SSL.com's position as to what was necessary to be
compliant with this aspect of the BRs?
> That could be added in the BRs:
>
> Change:
> "The CA SHALL reject a certificate request if the requested Public Key
> does not meet the requirements set forth in Sections 6.1.5 and 6.1.6 or if
> it has a known weak Private Key (such as a Debian weak key, see
>
http://wiki.debian.org/SSLkeys)"
>
> to something like:
> "The CA SHALL reject a certificate request if the requested Public Key
> does not meet the requirements set forth in Sections 6.1.5 and 6.1.6 or if
> it has a known weak Private Key using, as a minimum set the Debian weak
> keys produced by OpenSSL in i386 and x64 architectures (see
>
http://wiki.debian.org/SSLkeys)"
It would appear that SSL.com is a member in good standing of the CA/B Forum.
Is there any intention on the part of SSL.com to propose this change as a
ballot? While you're at it, if you could include a fix for the issue
described in
https://github.com/cabforum/documents/issues/164, that would be
appreciated, since it is the same sentences that need modification, and for
much the same reasons.
> Then, it would be clear that all CAs would need to block "at least" the
> vulnerable keys produced by OpenSSL and could add other keys produced by
> OpenSSH or other applications if they wanted a "more complete" list.
Well, you're still missing the rnd/nornd/noreadrnd variations, and there's
no specification as to what key sizes are considered the bare minimum.
> > > This information was disclosed on 2020-03-07 to the person that submitted
> > > the Certificate Problem Report.
> >
> > I don't see anything from SSL.com that looks relevant in my inbox, but it's
> > not an important point, just thought I'd mention it in passing.
>
> For the record, we replied to
mpa...@hezmatt.org at 2020-03-07 8:41 PM (UTC)
> Email subject: "Problem Report for certificate(s) with compromised private key"
> Can you please confirm?
> We did disclose the source of our weak keys in that email.
Unfortunately that's the default subject line I use on my problem reports,
so it's not as helpful as it might otherwise be. Looking through recent
correspondence, though, I'm certainly not finding anything. If you've got a
message ID, or even better the queue ID that my MTA would have responded
with when it accepted the message (which could be obtained from your MTA's
logs), that'd help me track down what happened to it. At any rate, there's
no delivery attempts at *all* in my mail logs between 20:37:19 and 21:03:30
on 2020-03-07, so it looks like it got in the post to at least some degree.
> > > The above practices comply with our CP/CPS, version 1.8, section 6.1.1.2,
> > > which states:
> > >
> > > "SSL.com shall reject a certificate request if the request has a known
> > > weak Private Key".
> >
> > Hmm, "known" is doing a lot of work in that sentence. Known to *whom* is
> > the important, but unanswered, question.
[snip]
> This language was mainly taken from the Baseline Requirements.
Sure, but SSL.com presumably came to some understanding as to what that
sentence meant at the time it was included in SSL.com's CPS, given that the
organisation was committing to do it. I think it would be valuable to know
what that understanding was, if for no other reason than so that Mozilla can
say, in the next CA communication, "if you think that "known weak Private
Key" means "known to <X>, be advised that that that is not an appropriate
interpretation, and you'll want to get onto that."
> Unfortunately the format of the blacklists in openssl-blacklist is
> incompatible with our CA software which expects the SHA256 hash of the
> modulus, that's why we mention about acquiring the actual public keys.
That is an... interesting approach. How does your CA software check for
known-bad EC keys? Yes, OpenSSL 0.9.8 didn't support EC keys, but Debian
weak keys aren't the only known-bad keys in existence.
> In our understanding, many individuals are in possession of such lists and
> it would certainly expedite things, along with reducing waste from
> duplicate effort, if you or others with similar lists, decided to share
> the actual keys with the broader community.
Given the number of active, unrevoked certificates using private keys that
I've already found laying around (see, for example,
https://misissued.com/batch/64/), dumping all the known-compromised private
keys in existence in one place *might* not be considered a winning idea by
all and sundry. I do appreciate your desire to watch the world burn,
though. It's very Cyberpunk.
Further, a point-in-time publication of any list of keys would not be
particularly useful, as new private keys are *regularly* being disclosed,
and thus any list would very quickly be out-of-date. Even if the published
list were regularly augmented with new entries, history has shown that
people are far too keen on downloading a list once, stuffing into their (in
this case) CA software, and saying "job done!", and thus they lull
themselves into a false sense of security.
I've seen this happen in many contexts over the years, such as in network
operations -- bogon lists get loaded into routers and firewalls, they don't
get updated, and it causes problems everywhere and forever. I'm not going
to be party to creating yet another instance of the same problem with
private keys.
> The same applies for private keys that have been publicly disclosed.
> Maintaining such a list and justifying each entry is a great contribution
> to the community. Even getting the modulus of those keys would solve many
> compatibility issues with various "key detection" solutions.
I am not averse to the provision of alternate formats of the
pwnedkeys.com
dataset, however I don't have enough spare time to generate every possible
permutation of key representation, especially when they're as odd as "SHA256
of the modulus" (even assuming there were a single unambiguous
representation of an RSA modulus, which there most certainly isn't).
> Regarding the use of external third-party systems, such as the
>
pwnedkeys.com database, we are of the opinion that no CA's certificate
> issuance process and/or their compliance should rely on an external system
> which has not been evaluated and without any SLA guarantees.
There are commercial solutions to the problem of a lack of SLA guarantees,
if that is the only roadblock.
- Matt