Hi, I recently discovered two certificates issued for a private key that is part of the OpenSSL source code. Here's the key in question: https://github.com/openssl/openssl/blob/master/test/certs/x509-check-key.pem
This key is used in two certificates: https://crt.sh/?spkisha256=79f76c34a64d70c157113947dfe3cb8e4d7d035e4319142eb3dfb84c15f25ca4 One was issued by Digicert and expired shortly before I discovered this. The other was issued by Godaddy and has been revoked after I reported it. I am not sure if there should be an expectation that example/test keys are blocked for certificate issuance. While it is certainly infeasible to ask to do this for any possible software, it seems OpenSSL is prominent enough that it's a relatively obvious thing to consider the keys shipped with it as candidates for a blocklist. -- Hanno Böck https://hboeck.de/ -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211106173722.6f38a98f%40computer.