On 02/15/2012 08:19 PM, Peter Eckersley wrote: > On Tue, Feb 14, 2012 at 06:11:49PM -0800, Peter Eckersley wrote: > > This seems consistent with Nadia Heninger's claim that these are > exclusively routers, VPN devices and other embedded systems: > > https://www.freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs > > Apologies for panicking any CAs over this, it seems as though router and VPN > manufacturers will have responsibility for responding to this problem.
Don't beat yourself over it :-) With all due respect to Lenstra et al. (the work they did was good), the data originally provided by them made the case (unintentionally) sound scarier than it is. Though the idea to make a public "CA security email address contact list" would be still nice. For example, I've run into a dead-end when reporting yet-unknown certs with weak 512-bit keys with the right KU and EKU extensions for code signing to a CA (it was around the time when malware signed by factorized keys became rampant; the CA in question was trusted by Mozilla and Microsoft). The only officially listed contact did not respond at all (I guess only disclosure in a list made them to actually revoke them weeks later). Also, I'd like to add a comment on keys shared by "often uninvolved parties". I had a discussion with Ralph Holz about our results in key-sharing and we agreed that in many cases, it is really hard to find out whether parties are involved or not (meaning: lot of manual checking of financial registries and whatnot; hard to automatize). Nevertheless, there are e.g. VPS hostings that simply copy over installation image and do not change keys. There is also some key-sharing among RAs and CAs in CA-certs (with different policies stated in CPS for the products), an example (full graph of such certs is still on my TODO list): -----BEGIN CERTIFICATE----- MIIFAzCCA+ugAwIBAgIQTM1KmltFEyGMz5AviytRcTANBgkqhkiG9w0BAQUFADCB lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt SGFyZHdhcmUwHhcNMDYwOTE4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBxMQswCQYD VQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT YWxmb3JkMRowGAYDVQQKExFDb21vZG8gQ0EgTGltaXRlZDEXMBUGA1UEAxMOUG9z aXRpdmVTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9T3lY IpPJKD5SEQAvwKkgitctVR4Q57h/4oYqpOxe6eSSWJZUDfMXukGeFZFV78LuACAY RYMm3yDMPbOhEzEKIVx5g3mrJBVcVvC0lZih2tIb6ha1y7ewwVP5pEba8C4kuGKe joteK1qWoOpQ6Yj7KCpNmpxIT4O2h65Pxci12f2+P9GnncYsEw3AAcezcPOPabuw PBDf6wkAhD9u7/zjLbTHXRHM9/Lx9uLjAH4SDt6NfQDKOj32cuh5JaYIFveriP9W XgkXwFqCBWI0KyhIMpfQhAysExjbnmbHqhSLEWlN8QnTul2piDdi2L8Dm53X5gV+ wmpSqo0HgOqODvMdAgMBAAGjggFuMIIBajAfBgNVHSMEGDAWgBShcl8mGyiYQ5Vd BzfVhZadS9LDRTAdBgNVHQ4EFgQUuMoR6QYxedvDlMboGSq8uzUWMaQwDgYDVR0P AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwewYDVR0fBHQwcjA4oDagNIYy aHR0cDovL2NybC5jb21vZG9jYS5jb20vVVROLVVTRVJGaXJzdC1IYXJkd2FyZS5j cmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9VVE4tVVNFUkZpcnN0LUhh cmR3YXJlLmNybDCBhgYIKwYBBQUHAQEEejB4MDsGCCsGAQUFBzAChi9odHRwOi8v Y3J0LmNvbW9kb2NhLmNvbS9VVE5BZGRUcnVzdFNlcnZlckNBLmNydDA5BggrBgEF BQcwAoYtaHR0cDovL2NydC5jb21vZG8ubmV0L1VUTkFkZFRydXN0U2VydmVyQ0Eu Y3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAdtOf5GEhd7fpawx3jt++GFclsE0kWDTGM MVzn2odkjq8SFqRaLZIaOz4hZaoXw5V+QBz9FGkGGM2sMexq8RaeiSY9WyGN6Oj5 qz2qPMuZ8oZfiFMVBRflqNKFp05Jfdbdx4/OiL9lBeAUtTF37r0qhujop2ot2mUZ jGfibfZKhWaDtjJNn0IjF9dFQWp2BNStuY9u3MI+6VHyntjzf/tQKvCL/W8NIjYu zg5G8t6P2jt9HpOs/PQyKw+rAR+lQI/jJJkfXbKqDLnioeeSDJBLU30fKO5WPa8Y Z0nf1R7CqJgrTEeDgUwuRMLvyGPui3tbMfYmYb95HLCpTqnJUHvi -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIE0DCCA7igAwIBAgIQMKeebbHpGVqxyFDTln1j1TANBgkqhkiG9w0BAQUFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTA1MDcxNDAwMDAwMFoXDTE5MDcwOTE4MTkyMlow dTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MSYwJAYDVQQKEx1Qb3NpdGl2ZSBTb2Z0d2FyZSBDb3Jwb3JhdGlv bjETMBEGA1UEAxMKTGl0ZVNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAL1PeVgik8koPlIRAC/AqSCK1y1VHhDnuH/ihiqk7F7p5JJYllQN8xe6 QZ4VkVXvwu4AIBhFgybfIMw9s6ETMQohXHmDeaskFVxW8LSVmKHa0hvqFrXLt7DB U/mkRtrwLiS4Yp6Oi14rWpag6lDpiPsoKk2anEhPg7aHrk/FyLXZ/b4/0aedxiwT DcABx7Nw849pu7A8EN/rCQCEP27v/OMttMddEcz38vH24uMAfhIO3o19AMo6PfZy 6HklpggW96uI/1ZeCRfAWoIFYjQrKEgyl9CEDKwTGNueZseqFIsRaU3xCdO6XamI N2LYvwObndfmBX7CalKqjQeA6o4O8x0CAwEAAaOCAWAwggFcMB0GA1UdDgQWBBS4 yhHpBjF528OUxugZKry7NRYxpDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgw BgEB/wIBATARBglghkgBhvhCAQEEBAMCAgQwewYDVR0fBHQwcjA4oDagNIYyaHR0 cDovL2NybC5jb21vZG9jYS5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmww NqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BZGRUcnVzdEV4dGVybmFsQ0FS b290LmNybDCBhgYIKwYBBQUHAQEEejB4MDsGCCsGAQUFBzAChi9odHRwOi8vY3J0 LmNvbW9kb2NhLmNvbS9BZGRUcnVzdFVUTlNlcnZlckNBLmNydDA5BggrBgEFBQcw AoYtaHR0cDovL2NydC5jb21vZG8ubmV0L0FkZFRydXN0VVROU2VydmVyQ0EuY3J0 MA0GCSqGSIb3DQEBBQUAA4IBAQBC6Axe81lrom4vHWzOmzz+QYj/ADLgK8RDWDbI QHwZcNXyYJPz7kmOcpAbayWK1yAzGr4JPiKP3z86voZ56MpIfOt0eKpxKBUdXtsV P1XOLeKbmHDhcjxZjRYRIi2e1dXHOAAlF/abnGSsR/eCo/4RRf9FcCZPgvBx1Kin 94eVLE9rI2JwuUpDnogyo+EHMTUWIdtCdtsLFP1IY1JCdfZCFph/kW+FLdiQ8DOr nJkl8PP6wL2aXDnnniFcBMa9rqB/ib5buMRAO+nJVv28mJkggodDRpZXFp+OGTIU WjEZgqr9NaoNZCZpyfZxPsOFYzoxLYEmJs3AJHxkhIHg6YQU -----END CERTIFICATE----- Ondrej
