known bad certs blocklist
559 views
Skip to first unread message
Jan Schaumann
Jan 9, 2024, 11:17:04 AM1/9/24
to dev-secur...@mozilla.org
Hello,
Is there a community-shared blocklist of known bad
certs (keys)?
Chrome has
https://chromium.googlesource.com/chromium/src/+/master/net/data/ssl/blocklist/README.md
Apple / Safari has
https://support.apple.com/en-us/103255
I don't recall if Firefox has a list?
Either way, it would be useful to have a community
shared list of known compromised keys or otherwise
revoked roots or intermediates. Does that already
exist?
-Jan
Is there a community-shared blocklist of known bad
certs (keys)?
Chrome has
https://chromium.googlesource.com/chromium/src/+/master/net/data/ssl/blocklist/README.md
Apple / Safari has
https://support.apple.com/en-us/103255
I don't recall if Firefox has a list?
Either way, it would be useful to have a community
shared list of known compromised keys or otherwise
revoked roots or intermediates. Does that already
exist?
-Jan
Ben Wilson
Jan 9, 2024, 11:30:37 AM1/9/24
to Jan Schaumann, dev-secur...@mozilla.org
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZZ1xe9_3hGFovkqT%40netmeister.org.
Matt Palmer
Jan 12, 2024, 4:33:55 PM1/12/24
to dev-secur...@mozilla.org
On Tue, Jan 09, 2024 at 11:16:59AM -0500, 'Jan Schaumann' via dev-secur...@mozilla.org wrote:
> Either way, it would be useful to have a community
> shared list of known compromised keys or otherwise
> revoked roots or intermediates. Does that already
> exist?
For known-compromised keys, there's https://pwnedkeys.com.
> Either way, it would be useful to have a community
> shared list of known compromised keys or otherwise
> revoked roots or intermediates. Does that already
> exist?
- Matt
Matthew Hardeman
Jan 12, 2024, 4:45:19 PM1/12/24
to dev-secur...@mozilla.org
I also was going to point out that these are probably [at least] three different concepts:
1. There are untrusted / revoked / distrusted root and/or intermediate CERTIFICATES.
2. There are KEYS which have been COMPROMISED (known/published/demonstrated public -> private key mapping) which are unsuitable for any use in any certificate in the WebPKI.
3. There are KEYS which are algorithmically WEAK and are unsuitable for any use in any certificate in the WebPKI.
Of the latter two, there is much overlap as researchers have published some lists of instances of the third case as specific examples, which makes them also fit in the 2nd case.
Importantly, it is likely that the person asking the question likely needs to separately consider certificates which are unknown/untrusted/revoked and keys which are bad for one of a number of reasons.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7af92426-fd46-49c0-b6d5-c18a258fc4d9%40mtasv.net.
Reply all
Reply to author
Forward
0 new messages