Hi Matt, Thanks for running this important service!
The FAQ points out that the revokinator does not use the standardized ACME method for reporting key-compromised certificates. The reason given is that the ACME method requires the private key to be online to sign a nonce (i.e. to demonstrate, not just assert, compromise), but the revokinator stores private keys offline "for security reasons". Given that these private keys are already compromised, why is the revokinator's storage solution so important as to preclude implementing the only (as far as I'm aware) IETF-standardized compromise reporting mechanism? Aaron On Sat, Nov 9, 2024, 21:05 Matt Palmer <[email protected]> wrote: > Hi everyone, > > As some eagle-eyed CAs may have noticed, I've revamped and restarted the > Pwnedkeys Revokinator, which matches compromised keys from the Pwnedkeys > dataset against issued WebPKI certificates, and sends compromise > attestations to the issuing CAs. > > The major change from last time I was running the Revokinator is that I > have no intention of trawling the revocation status information looking > for violations of the BRs. CAs are free to ignore the notifications > that Revokinator sends (as a representative of one CA has hinted may > occur if I don't follow their specific manual processes to generate > evidence in their preferred format), without fear of incident reports > being filed by me. > > Instead, I have stood up a site, at https://pwnedkeys.com/revokinator, > that is intended to be the one-stop shop for displaying all of the > information that the Revokinator has about compromised certificates, > compromise notifications, OCSP checks, and so on. Anyone who wants to > trawl that data looking for BR and policy violations may do so, and > create incidents as they see fit. The complete database schema > describing what is being recorded by the Revokinator is available at > https://pwnedkeys.com/revokinator/db-schema. > > The current information being displayed is very incomplete, and serves > more as a demonstration of how to write extract/display functions than a > complete dump of available information. The codebase is publicly > available at https://github.com/pwnedkeys/revokinator-site, so if you're > keen to be able to see more of the Revokinator's data, submit PRs. > > There is an FAQ about the Revokinator at > https://pwnedkeys.com/revokinator/faq that gives details about how the > Revokinator works, and various other pieces of information that may be > of interest. Of particular note to CAs, there are instructions on how > CAs may receive notifications by means other than email. They may wish > to consider implementing that route in the near future, as at some point > I will be running a script to match the backlog of compromised > certificates and bulk-submit them to CAs, which may put significant load > on whoever sits on the problem report mailbox. > > Finally, I don't intend for mdsp to become the Revokinator announcements > list, so if you wish to receive future updates about improvements to the > Revokinator as they're released, I'd suggest subscribing to the > Pwnedkeys newsletter (https://pwnedkeys.com/newsletter/subscribe), where > future announcements will be posted. > > - Matt > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/695ca8fc-a4cd-42cf-b589-de3f3e854727%40mtasv.net > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnEreQTD5ZPebZgYFG0e0kUBhDtyXC6i7WL_biOnSpLXczbA%40mail.gmail.com.
