On 16/10/17 20:01, Matthew Hardeman via dev-security-policy wrote:
The authors of the paper on the weak RSA keys generated by Infineon TPMs and
smart cards have published code in multiple languages / platforms that provide
for an efficient test for weakness by way of the Infineon TPM bug.
Perhaps this should be a category of issue identified by the crt.sh engine, etc?
Hi Matt. Yeah, I'm working on adding the ROCA check to crt.sh.
Should someone put together a ballot for incorporating this category of weak
keys as a mandatory check before issuing certs?
Code for testing keys is at: https://github.com/crocs-muni/roca
It looks like the test is exceptionally easy math against the modulus of the
public key.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
