Hi everyone,
As some eagle-eyed CAs may have noticed, I've revamped and restarted the
Pwnedkeys Revokinator, which matches compromised keys from the Pwnedkeys
dataset against issued WebPKI certificates, and sends compromise
attestations to the issuing CAs.
The major change from last time I was running the Revokinator is that I
have no intention of trawling the revocation status information looking
for violations of the BRs. CAs are free to ignore the notifications
that Revokinator sends (as a representative of one CA has hinted may
occur if I don't follow their specific manual processes to generate
evidence in their preferred format), without fear of incident reports
being filed by me.
Instead, I have stood up a site, at
https://pwnedkeys.com/revokinator,
that is intended to be the one-stop shop for displaying all of the
information that the Revokinator has about compromised certificates,
compromise notifications, OCSP checks, and so on. Anyone who wants to
trawl that data looking for BR and policy violations may do so, and
create incidents as they see fit. The complete database schema
describing what is being recorded by the Revokinator is available at
https://pwnedkeys.com/revokinator/db-schema.
The current information being displayed is very incomplete, and serves
more as a demonstration of how to write extract/display functions than a
complete dump of available information. The codebase is publicly
available at
https://github.com/pwnedkeys/revokinator-site, so if you're
keen to be able to see more of the Revokinator's data, submit PRs.
There is an FAQ about the Revokinator at
https://pwnedkeys.com/revokinator/faq that gives details about how the
Revokinator works, and various other pieces of information that may be
of interest. Of particular note to CAs, there are instructions on how
CAs may receive notifications by means other than email. They may wish
to consider implementing that route in the near future, as at some point
I will be running a script to match the backlog of compromised
certificates and bulk-submit them to CAs, which may put significant load
on whoever sits on the problem report mailbox.
Finally, I don't intend for mdsp to become the Revokinator announcements
list, so if you wish to receive future updates about improvements to the
Revokinator as they're released, I'd suggest subscribing to the
Pwnedkeys newsletter (
https://pwnedkeys.com/newsletter/subscribe), where
future announcements will be posted.
- Matt