On Wed, 28 Feb 2018 20:03:51 +0000 Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> The keys were emailed to me. I'm trying to get a project together > where we self-sign a cert with each of the keys and publish them. > That way there's evidence to the community of the compromise without > simply listing 23k private keys. Someone on Reddit suggested that, > which I really appreciated. That's probably me (tialaramex). Anyway, if it is me you're referring to, I suggested using the private keys to issue a bogus CSR. CSRs are signed, proving that whoever made them had the corresponding private key but they avoid the confusion that comes from DigiCert (or its employees) issuing bogus certs. Everybody reading m.d.s.policy can still see that a self-signed cert is harmless and not an attack, but it may be harder to explain in a soundbite. Maybe more technically able contributors disagree ? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy