Hi Wayne,
I think this does seem like it could be a tractable solution, however I’d like
to understand why one of the proposals I’ve brought up a couple times on the
calls isn’t also a suitable option. From what I can gather, they’re nearly
identical in practical impact, but one provides a
> * Aaron Gable commented in the PR with a suggestion that we require CAs to
> reject any key found in Hanno Bock's repository at
> https://github.com/badkeys/debianopenssl. This includes RSA
> 1024/2048/3072/4096 and EC P256/P384 keys.
Some of the EC key files in Hanno's repository have ASN.1
