New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Baseline Requirements: Treat weak keys, such as Debian keys, as compromised #164
Labels
Comments
See also this discussion |
sleevi
added a commit
to sleevi/cabforum-docs
that referenced
this issue
Apr 1, 2020
sleevi
added
the
baseline-requirements
Server Certificate CWG - Baseline Requirements
label
Jun 18, 2020
sleevi
added a commit
to sleevi/cabforum-docs
that referenced
this issue
Jul 27, 2020
sleevi
added a commit
to sleevi/cabforum-docs
that referenced
this issue
Jul 27, 2020
This was referenced Aug 6, 2020
sleevi
added a commit
to sleevi/cabforum-docs
that referenced
this issue
Aug 25, 2020
dzacharo
pushed a commit
that referenced
this issue
Sep 14, 2020
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Merged
dzacharo
added a commit
that referenced
this issue
Sep 14, 2020
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
dzacharo
added a commit
that referenced
this issue
Oct 16, 2020
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
wthayer
pushed a commit
that referenced
this issue
Oct 19, 2020
* Ballot SC28v6: Logging and Log Retention (#222) Add SC28 * SC35: Cleanups and Clarifications (#208) (#223) * Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> * Update version numbers and cover pages. * Update effective date to 2020-10-19. * Update version for the cover page Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
The Baseline Requirements, Section 4.9.1.1, allow for up to five days for revocation if "methods have been developed that can easily calculate it {the private key} based on the Public Key"
However, the BRs also require revocation in 24 hours if the Private Key has been compromised.
Given that the 24 hour revocation overrides the five day revocation requirement, and given that the determination of a Debian Weak Key is, effectively, a lookup in a list of compromised keys, this section should be adjusted to clearly distinguish from the computationally-feasible-but-not-yet-performed type of weakness (e.g. ROCA) with the known-compromised scenario (e.g. Debian Weak Keys)
The text was updated successfully, but these errors were encountered: