In my opinion, currently each Certificate Authority (CA) can only identify and reject the public keys revoked due to key compromise within its own PKI, but not those from other CAs. However, I believe that CAs have the obligation to submit the public keys of compromised keys to PwnedKeys, a centralized service. They are also obliged to conduct verification via PwnedKeys when receiving CSR to prevent the use of leaked or insecure keys.
It is appropriate for this centralized service to be operated by entities like Mozilla or Google, which have their own independent root inclusion policies or programs. Moreover, we need a neutral yet mandatory service to address the issue of sharing information about compromised keys. On Friday, February 7, 2025 at 9:23:03 AM UTC+8 Matt Palmer wrote: > On Sun, Feb 02, 2025 at 11:23:09PM -0800, Arabella Barks wrote: > > Should Mozilla provide a service similar to Pwnedkeys to verify whether > the > > digest of an asymmetric private key matches the weak keys library and all > > key libraries where the keys have been revoked by CAs and marked as > > keyCompromised? > > Out of curiosity, what benefits do you think Mozilla would get from > running such a service? Unsurprisingly, I can think of a few > possibilities, but I'm keen to see what you (and others) think. > > - Matt > (posting in my capacity as Pwnedkeys' God-King, CEO, and assistant > bottle-washer) > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a0d2a679-01d6-4c19-8e81-649a850d996bn%40mozilla.org.
