Hi all, I'd like to make everyone aware of a service I've just stood up, called pwnedkeys.com. It's intended to serve as a clearinghouse of known-exposed private keys, so that services that accept public keys from external entities (such as -- relevant to mdsp's interests -- CAs) can make one call to get a fairly authoritative answer to the question "has the private key I'm being asked to interact with in some way been exposed?".
It's currently loaded with great piles of Debian weak keys (from multiple architectures, etc), as well as some keys I've picked up at various times. I'm also developing scrapers for various sites where keys routinely get dropped. The eventual intention is to be able to go from "private key is on The Public Internet somewhere" to "shows up in pwnedkeys.com" automatically and in double-quick time. I know there are a number of very clever people on this list who have found and extracted keys from more esoteric places than Google search, and I'd be really interested in talking to you (privately, I'd imagine) about getting specimens of those keys to add to the database. I'd also welcome comments from anyone about the query API, the attestation format, the documentation, or anything else vaguely relevant to the service. Probably best to take that off-list, though. I do have plans to develop a PR against (the AWS Labs') certlint to cause it to query the API, so there's no need for anyone to get deep into that unless they're feeling especially frisky. Other linting tools will *probably* have to do their own development, as my Go skills are... rudimentary at best, shall we say. I'd be happy to give guidance or any other necessary help to anyone looking at building those, though. Finally, if any CAs are interested in integrating the pwnedkeys database into their issuance pipelines, I'd love to discuss how we can work together. Thanks, - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
