On 27/12/2018 10:35, Matt Palmer via dev-security-policy wrote:
> Hmm, Rob's reply never made it to my inbox. I'll reply to that separately
> now I know it's a thing.
Hi Matt. I'm consistently receiving "Undelivered Mail Returned to
Sender" messages from your mailserver, which is presumably
On Wed, 19 Dec 2018 05:09:11 -0600, Rob Stradling wrote:
> How do you handle malformed SPKIs? (e.g., the algorithm parameters
> field for an RSA public key is missing, whereas it should be present and
> should contain an ASN.1 NULL).
>
> Presumably your server/database only deals with
Hmm, Rob's reply never made it to my inbox. I'll reply to that separately
now I know it's a thing.
On Thu, Dec 27, 2018 at 05:56:08PM +0900, Hector Martin 'marcan' via
dev-security-policy wrote:
> On 19/12/2018 20:09, Rob Stradling via dev-security-policy wrote:
> > I'm wondering how I might
On 19/12/2018 20:09, Rob Stradling via dev-security-policy wrote:
I'm wondering how I might add a pwnedkeys check to crt.sh. I think I'd
prefer to have a table of SHA-256(SPKI) stored locally on the crt.sh DB.
Yes, I think the right approach for an upstream source is to provide a
big list of
On Wed, Dec 19, 2018 at 10:08:51AM +0100, Kurt Roeckx via dev-security-policy
wrote:
> On 2018-12-18 11:44, Matt Palmer wrote:
> > It's currently loaded with great piles of Debian weak keys (from multiple
> > architectures, etc), as well as some keys I've picked up at various times.
> > I'm also
I threw together a quick Go library for using this API to see how it works
in a larger app.
https://github.com/adamdecaf/pwnedkeys
On Wed, Dec 19, 2018 at 3:34 AM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Wed, Dec 19, 2018 at 11:30:47AM +0100, Kurt
On Wed, Dec 19, 2018 at 11:30:47AM +0100, Kurt Roeckx via dev-security-policy
wrote:
> I'm not sure how you feel about listing keys where you don't have the
> private key for, but are known to be compromised anyway. One potential
> source for such information might be CRLs where the reason for
Hi Matt. This is great. A few comments inline...
On 19/12/2018 09:00, Matt Palmer via dev-security-policy wrote:
> Hi Ryan,
>
> On Tue, Dec 18, 2018 at 08:24:48PM -0800, Ryan Hurst via dev-security-policy
> wrote:
>> My first thought is by using SPKI you have limited the service
>>
On 2018-12-19 10:55, Matt Palmer wrote:
On Wed, Dec 19, 2018 at 10:08:51AM +0100, Kurt Roeckx via dev-security-policy
wrote:
On 2018-12-18 11:44, Matt Palmer wrote:
It's currently loaded with great piles of Debian weak keys (from multiple
architectures, etc), as well as some keys I've picked
On Wed, Dec 19, 2018 at 10:08:51AM +0100, Kurt Roeckx via dev-security-policy
wrote:
> On 2018-12-18 11:44, Matt Palmer wrote:
> > It's currently loaded with great piles of Debian weak keys (from multiple
> > architectures, etc), as well as some keys I've picked up at various times.
> > I'm also
Ryan Hurst via dev-security-policy
writes:
>My first thought is by using SPKI you have limited the service unnecessarily
>to X.509 related keys, I imagined something like this covering PGP, JWT as
>well as other formats. It would be nice to see the scope increased
>accordingly.
You can't do it
On 2018-12-18 11:44, Matt Palmer wrote:
It's currently loaded with great piles of Debian weak keys (from multiple
architectures, etc), as well as some keys I've picked up at various times.
I'm also developing scrapers for various sites where keys routinely get
dropped.
You might for instance
Hi Ryan,
On Tue, Dec 18, 2018 at 08:24:48PM -0800, Ryan Hurst via dev-security-policy
wrote:
> My first thought is by using SPKI you have limited the service
> unnecessarily to X.509 related keys, I imagined something like this
> covering PGP, JWT as well as other formats. It would be nice to
On Tuesday, December 18, 2018 at 2:44:22 AM UTC-8, Matt Palmer wrote:
> Hi all,
>
> I'd like to make everyone aware of a service I've just stood up, called
> pwnedkeys.com. It's intended to serve as a clearinghouse of known-exposed
> private keys, so that services that accept public keys from
Hi all,
I'd like to make everyone aware of a service I've just stood up, called
pwnedkeys.com. It's intended to serve as a clearinghouse of known-exposed
private keys, so that services that accept public keys from external
entities (such as -- relevant to mdsp's interests -- CAs) can make one
15 matches
Mail list logo