On Wed, Dec 19, 2018 at 11:30:47AM +0100, Kurt Roeckx via dev-security-policy wrote: > I'm not sure how you feel about listing keys where you don't have the > private key for, but are known to be compromised anyway. One potential > source for such information might be CRLs where the reason for revocation > was keyCompromise.
At *this* stage, I'm really only interested in providing proof of key exposure, via signatures. Just listing keys and saying "trust me, these are compromised" just seems... weak, somehow. Also, trawling revocation lists for keys requires matching up the issuer+serial number to a cert in another store (since CRLs only record serial numbers), which is just *annoying*. > If you don't want to publish the private keys, distributing the public keys > might be an option. For a "bulk" export, yes, that is a possibility. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy