The publiction of RFC 9500 passed without too much notice so I thought I'd mention it here for both CAs and crypto library developers, the description is:
The widespread use of public key cryptosystems on the Internet has led to a proliferation of publicly known but not necessarily acknowledged keys that are used for testing purposes or that ship preconfigured in applications. These keys provide no security, but since there's no record of them, relying parties are often unaware that they provide no security. In order to address this issue, this document provides a set of standard public test keys that may be used wherever a preconfigured or sample key is required and, by extension, also in situations where such keys may be used, such as when testing digitally signed data. Their purpose corresponds roughly to that of the EICAR test file, a non-virus used as a test file for antivirus products, and the GTUBE file, a similar file used with spam-detection products. Crypto library developers may want to use these keys as their standard test keys, and CAs should check for them when issuing certificates to make sure that they're not certifying test keys for production use. Peter. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ME0P300MB0713E3C29CAA7213BE419AB1EE412%40ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM.
