Hi Hanno,
This is not publicly trusted TLS certificate but only Telia's test certificate. Issuer is our test issuer "Telia PreProd Server CA v3" (not publicly trusted).
Telia was testing new Badkeys/Lint implementation and we wanted to do also one test without Badkeys/Lint with vulnerable key to see if anything else would prevent such key. According to our information CT log "Dodo" that was used is non-production CT log and could be used for such tests with non-trusted TLS certificates (Mammoth and Sabre are Sectigo's production CT logs). I hope this kind of testing is OK? Or should we keep such test certificates internal only without any CT publishing?
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/AS1PR07MB8688F4317AE188F9EFCE44C1E12E9%40AS1PR07MB8688.eurprd07.prod.outlook.com.
Hi Ben,
We are not using Debian at all. We just took one random vulnerable key from vulnerable key archive from Debian weak key list because we wanted to test what will happen in our test code with such key. The purpose of this test was to use seriously bad key when bypassing our normal ways to detect and prevent it.
We didn’t expect this test key/certificate to go to any CT log that is used for CT monitoring.
Br Pekka
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/AS1PR07MB8688A78506942360543FF0D4E12E9%40AS1PR07MB8688.eurprd07.prod.outlook.com.
Hi,For what it's worth, I think this kind of intentional end-to-end testing is good, and what testing CT logs and roots are for. Like negative tests, it demonstrates your pipeline actually works (and is not rejecting the bad certificates just because it's broken), and as a side effect it allowed us to test the community's ability to catch certificates issued from bad public keys.I'm mentioning this because I want you and other CAs to feel encouraged to, not discouraged from, this kind of testing.Agreed on maybe surfacing public trust information in crt.sh, which is available behind the Issuer click. https://crt.sh/?caid=251252
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6a844802-74ac-4026-8e32-72dd083fd506%40app.fastmail.com.