Zlint also has a check for this <https://github.com/zmap/zlint/blob/master/v3/lints/community/lint_rsa_fermat_factorization.go> in version 3.4.0 (released this month), and on master since July.
On Sat, Oct 29, 2022 at 12:45 PM Hanno Böck <[email protected]> wrote: > Hi, > > https://crt.sh/?id=7581884753&opt=ocsp > is a certificate with a private key that can be broken with fermat > factorization [1] as the two RSA primes are close to each other. It has > been issued in September and is currently unrevoked. > > I am not sure if there's currently an expectation to check for this > type of vulnerability (though I've been CCed on a few mails back in > July where there was a proposal to have more clarity on what weak keys > to check in the cabforum rules, and this was one of the things in it, > but I don't know what the current status there is). But I would > recommend that all CAs implement this check. There have been a few such > certificates in the wild and the check is easy to do (see [2] for the > badkeys code doing the check). > > > [1] https://fermatattack.secvuln.info/ > [2] > https://github.com/badkeys/badkeys/blob/main/badkeys/rsakeys/fermat.py > > -- > Hanno Böck > https://hboeck.de/ > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20221029214539.182e35be%40computer > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcvz0K8Gux_B11oMQYw-qQSZTvApm7xoSK6gj7YDS16Xg%40mail.gmail.com.
