On 28 February 2018 at 21:37, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Wed, 28 Feb 2018 20:03:51 +0000 > Jeremy Rowley via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > The keys were emailed to me. I'm trying to get a project together > > where we self-sign a cert with each of the keys and publish them. > > That way there's evidence to the community of the compromise without > > simply listing 23k private keys. Someone on Reddit suggested that, > > which I really appreciated. > > That's probably me (tialaramex). > > Anyway, if it is me you're referring to, I suggested using the private > keys to issue a bogus CSR. CSRs are signed, proving that whoever made > them had the corresponding private key but they avoid the confusion > that comes from DigiCert (or its employees) issuing bogus certs. > Everybody reading m.d.s.policy can still see that a self-signed cert is > harmless and not an attack, but it may be harder to explain in a > soundbite. Maybe more technically able contributors disagree ? > Seems to me that signing something that has nothing to do with certs is a safer option - e.g. sign random string+Subject DN. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy