Gervase Markham: > Eddy Nigg (StartCom Ltd.) wrote: > >> Oh, that would technically not be possible I guess. Searching for such >> keys "dynamically" could take hours per key, hence previously created >> keys are used. They would need to be hosted somewhere and compared to. >> That's why Mozilla would know about which public key was used (the least). >> > > As https://bugzilla.mozilla.org/show_bug.cgi?id=435082 explains, we > would have a locally-stored blacklist. >
Locally stored where exactly? Do you have an idea how big such a list which would cover just the most commonly used key sizes would be? Doesn't sound feasible to me, hence I thought you were talking about some kind of lookup service. > What makes you expect that? > > Such a list of weak keys already exists, anyway. > http://metasploit.com/users/hdm/tools/debian-openssl/ > > Yes I know obviously. That's exactly why I think it's not in the cards. Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security