Hi, A while ago I tested how some CAs would react to certificate requests with debian weak keys.
I was able to get a certificate from Let's Encrypt with a debian weak key. Here is it: https://crt.sh/?id=173588030 I reported this to Let's Encrypt. They told me that they are aware they weren't checking debian weak keys, but they were in the process of deploying a check: https://github.com/letsencrypt/boulder/pull/2765 I don't know if this is active by now, but I assume so. Maybe notable: The certificate hasn't been revoked, despite me reporting it. However I haven't explicitely asked for revocation (and I could revoke it myself, given that I have the private key). I have also tried to get a cert with a debian weak key from the free trial offerings from Comodo and Symantec. Both rejected the request. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy