Private key re-use and 1.1 Subscriber Agreement

With the 1.1 subscriber agreement, you ban re-use (and continued use) of private keys after the end of the validity period of any associated certificate:

3.8 When to Cease Using Your Certificate
You warrant to ISRG and the public-at-large, and You agree, that You will immediately cease using [...] the Private Key corresponding to the Public Key listed in Your Certificate [..] upon the revocation or expiration of Your Certificate.

This prevents re-use of private keys, and thus prevents public key pinning and complicates some deployment scenarios. I haven't found any discussion about the change here (but I cannot say I feel comfortable with Discourse, so I might have missed some advanced search features), so I have difficulties in understanding why that change was introduced.

I do agree that a public key must not be used after it is compromised (which is also determined by the same change), and one might argue about legal loopholes if continued use is permitted on certificate revocations, but at least in the case of an expiry I don't see the benefit of switching to a different private key.

Why was the change introduced and/or is there a way to continue to re-use private keys?

1 Like

Good catch! I think this might have been inadvertently phrased in a way that also affects expired certificates. The goal of this change was probably to clarify that if your private key is compromised (as described in (i)), you must cease to use the private key, not just the certificate (which does make sense :smile: ).

The private key bit should probably only apply to (i) and not (ii) and (iii).

Just guessing here, maybe @josh can chime in.

Do let’s encrypt check for private key reuse after a revocation of a certificate?

Comparing in detail the Subscriber Agreement 1.0.1 and Subscriber Agreement 1.1:

I suspect that the goal here was to indicate that subscribers should stop using private keys when they are compromised, but we accidentally over-scoped that to include expiration. I agree that it's the intent of Let's Encrypt to allow Subscribers to use the same private key across multiple renewals.

I think the simplest fix would be to go back to the original language and add a separate clause for private key compromise:

@josh: What do you think?

1 Like

Thanks for pointing this out! We will be correcting this before any new subscriber agreement goes into effect.

5 Likes

I want to add an explanation for how this bug got introduced. It’s actually a bug in the CA/B Forum Baseline Requirements (BRs) and we inherited it by adjusting our language to match the BRs.

The latest draft of our subscriber agreement resolves the issue and I’ve started the process of fixing the bug in the BRs as well.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.