Hi, https://crt.sh/?id=7581884753&opt=ocsp is a certificate with a private key that can be broken with fermat factorization [1] as the two RSA primes are close to each other. It has been issued in September and is currently unrevoked.
I am not sure if there's currently an expectation to check for this type of vulnerability (though I've been CCed on a few mails back in July where there was a proposal to have more clarity on what weak keys to check in the cabforum rules, and this was one of the things in it, but I don't know what the current status there is). But I would recommend that all CAs implement this check. There have been a few such certificates in the wild and the check is easy to do (see [2] for the badkeys code doing the check). [1] https://fermatattack.secvuln.info/ [2] https://github.com/badkeys/badkeys/blob/main/badkeys/rsakeys/fermat.py -- Hanno Böck https://hboeck.de/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20221029214539.182e35be%40computer.
