Weak keys detections #3
Replies: 2 comments 1 reply
-
|
Hello, and thank you for your valuable feedback. I personally think that the policy module wouldn't be the perfect place for such a logic, as usually such security vulnerabilities get public after the damage (issung a certificate) has already been done. Implementing additional check will furthermore consume time until the module can get patched in production. I think it'll be wiser to dump all certificates issued by a CA and analyze them with the tools that have alread been provided by the respective researchers. Kind regards |
Beta Was this translation helpful? Give feedback.
-
|
I personally think is a good idea to prevent issuance of instead of reacting to it. And I also agree that this may be better to have detecting on a different server (Registration Authority, for instance) than CA itself. However, I was just hoping we could leverage this Policy Module. |
Beta Was this translation helpful? Give feedback.
-
|
The biggest challenge IMO is to convert all the provided code to C# to make it useable in the policy module. If you have the capability to do that, I'd highly appreciate the contribution :o). |
Beta Was this translation helpful? Give feedback.
-
Implement prevention to issue certificates created using weak keys, some examples:
Debian Weak Keys (https://wiki.debian.org/SSLkeys, https://github.com/HARICA-official/debian-weak-keys and https://github.com/CVE-2008-0166)
ROCA vulnerability (https://en.wikipedia.org/wiki/ROCA_vulnerability and https://github.com/crocs-muni/roca)
Fermat Attack on RSA (https://fermatattack.secvuln.info/)
Beta Was this translation helpful? Give feedback.
All reactions