On 01/03/18 10:51, Ben Laurie via dev-security-policy wrote:
On 28 February 2018 at 21:37, Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On Wed, 28 Feb 2018 20:03:51 +0000
Jeremy Rowley via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
The keys were emailed to me. I'm trying to get a project together
where we self-sign a cert with each of the keys and publish them.
That way there's evidence to the community of the compromise without
simply listing 23k private keys. Someone on Reddit suggested that,
which I really appreciated.
That's probably me (tialaramex).
Anyway, if it is me you're referring to, I suggested using the private
keys to issue a bogus CSR. CSRs are signed, proving that whoever made
them had the corresponding private key but they avoid the confusion
that comes from DigiCert (or its employees) issuing bogus certs.
Everybody reading m.d.s.policy can still see that a self-signed cert is
harmless and not an attack, but it may be harder to explain in a
soundbite. Maybe more technically able contributors disagree ?
Seems to me that signing something that has nothing to do with certs is a
safer option - e.g. sign random string+Subject DN.
And also throw in some transparency...
https://mailarchive.ietf.org/arch/msg/trans/WLFmIyaH4BJo77ZJDinKJcylOcg
--
Rob Stradling
Senior Research & Development Scientist
Email: rob.stradl...@comodoca.com
Bradford, UK
Office: +441274730505
ComodoCA.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
