On Wednesday, 18 October 2017 10:15:03 UTC+1, Rob Stradling wrote: > I've completed a full scan of the crt.sh DB, which found 171 certs with > ROCA fingerprints. > > The list is at https://misissued.com/batch/28/ > > Many of these are Qualified/EUTL certs rather than anything to do with > the WebPKI. Only about half of them chain to roots that are trusted by NSS.
I have been looking mainly at those certificates which seem like they might be accepted by plausible Web PKI clients (say, curl for example) regardless of their root. Several have a property that passes the Infineon fingerprint test as written but I believe it's as a result of some other (even worse?) flaw in the actual key generation method used for these keys. The ones that most confused me have M mod p = 1 for all small primes p. The odds against that happening by chance with fair random candidates are astronomical. I am pretty sure they aren't from Infineon devices because earlier work showed the Infineon key gen process gives a very narrow range of Most Significant Bytes for the modulus, and the strange moduli are outside that range. For example: https://crt.sh/?id=13734110 Whatever is wrong with these keys it's separate from the Infineon issue. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy