[SSL Observatory] Widespread RNG vulnerabilities discovered using Observatory data

[Gervase Markham]

On 15/02/12 02:11, Peter Eckersley wrote:
> A team lead by Arjen Lenstra used a new (not yet published) Observatory scan
> to find tens of thousands of TLS servers with readily factorizable weak keys:
>
> https://eff.org/deeplinks/2012/02/researchers-ssl-observatory-cryptographic-vulnerabilities
>
> We will be working to try to let the affected server operators know that they
> need to make new keys.  We will also try to contact the CAs that issued
> certificates for vulnerable keys, though in many cases this is hard to do in
> bulk, because CA certificates do not contain email addresses :(.
>
> I know there are many employees of CAs on this list.  Please reply to Dan and
> I privately if you have a good contact address for your CA.  It would be even
> more helpful if the CA-Browser Forum could send us a dictionary that maps
> either Issuer strings or AKIDs to contact email addresses.

I'm fairly sure the CAB Forum does not have that information, at least 
not readily to hand.

Mozilla has a database of contacts for each of the roots in our store, 
which may provide the information you need. I'm not certain we would be 
at liberty to make it available to you for privacy reasons (it depends 
on what was said when the data was collected) but if that's not 
possible, we may be able to send alerting email on your behalf.

Please contact Kathleen Wilson <kwilson at mozilla dot com> to enquire 
about this possibility. I'm not sure she reads this list, so she'll need 
the above background info.

Gerv