Eddy Nigg (StartCom Ltd.) wrote: > Oh, that would technically not be possible I guess. Searching for such > keys "dynamically" could take hours per key, hence previously created > keys are used. They would need to be hosted somewhere and compared to. > That's why Mozilla would know about which public key was used (the least).
As https://bugzilla.mozilla.org/show_bug.cgi?id=435082 explains, we would have a locally-stored blacklist. > I expect that Mozilla will not come up with the resources for it. What makes you expect that? Such a list of weak keys already exists, anyway. http://metasploit.com/users/hdm/tools/debian-openssl/ Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
