Re: Debian SSL key generation vs Revocation and Expiration from Yngve Nysaeter Pettersen on 2008-05-29 (public-wsc-wg@w3.org from May 2008)

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Thu, 29 May 2008 13:54:05 +0200
To: "Thomas Roessler" <tlr@w3.org>, johnath@mozilla.com, pbaker@verisign.com
Cc: public-wsc-wg@w3.org
Message-ID: <op.ubwzcfzpvqd7e2@killashandra.oslo.opera.com>

On Tue, 27 May 2008 14:23:20 +0200, Thomas Roessler <tlr@w3.org> wrote:

>
> One side effect of the Debian SSL key generation disaster is that
> anybody who got hold of one of the affected *public* certificates
> will be able to impersonate that site until the certificate is
> revoked -- the private keys are known, after all.
>
> Affected sites apparently include at least one major
> content-delivery network.
>
> I wonder what we can expect in terms of mass revocation of affected
> certificates, in terms of distributing these CRLs to users, or
> possibly even in terms of blacklisting any affected certificates,
> even without participation from the CAs -- after all, the current
> situation creates a significant exposure which is *not* healed by
> sites changing their keys.
>
> (Some quick poking at published CRLs seems to show no significant
> increase in revocations when comparing May to prior months, which
> makes me mildly nervous.)
>
> Anybody care to shed some light on the current thinking?  Yngve?
> Johnath? Phill?

 From the browser's point of view it is defintitely out of scope to  
extensively evaluate the "brittleness" of public keys. And even if we  
tried it would be too costly.

In this particular case we are dealing with ~32000 weak keys for each  
keylength, as I understand it. The Debian blacklist is 1.8MB compressed  
for each key length. That makes it unfeasible to ship a list along with  
the client. Calculating the list locally may take several hours. Online  
blacklist might work, but have infrastructure requirements, as well as  
possible privacy issues.

Generally speaking, in order to check for this kind of problem one does  
not just have to know the input data, one also have to know the exact  
algorithm for the key generator, and have to use a copy of that when  
checking.

In any case, such testing would require updating and deploying clients,  
with all associated costs and delays that entail.

The only parties that can do anything worthwhile here are the websites and  
the CAs.

-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		                 Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Thursday, 29 May 2008 11:57:26 UTC