On Sun, Oct 20, 2024 at 09:05:31AM +0000, Peter Gutmann wrote: > Matt Palmer <[email protected]> writes: > >Relying parties should be checking keys against the dataset maintained by > >pwnedkeys.com, which has a great many keys, both test and otherwise, > >including the keys contained in RFC9500 (included since ~December 2023). > > Nice! Any chance of publishing either the SPKIs or the SPKI hashes?
Possibly. I have concerns around doing so, as the data set is very large, and constantly updating. I'd prefer to build a system which is capable of handling those challenges, and nobody has ever wanted to work with me to address them, so I haven't gotten around to it myself. I've also considered bloom-filtered querying for high volume applications, and k-anonymous lookups for the privacy conscious, but again, nobody's actually seriously asked me for that, so they're also in the "round tuit" bucket. > There are lots of things around that can't make arbitrary Internet > requests every time they see a new key. While I'm sure there are *some* things that can't make arbitrary requests, I'm less confident about the "lots" part. If you're regularly seeing new keys, you're probably communicating on the Internet, in which case... - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/11142a0e-a80a-44a2-b15f-85cd65712402%40mtasv.net.
