there's no clear guideline on this. there's a BR rule saying that CAs should prevent the use of known compromised keys, and the debian openssl bug is always the prime example, but there's no standard practice which keys should be blacklisted.
-
-
I had all kinds of weird experiences, including I reported a key compromise, cert got revoked, new cert got created with the same key (at the same CA). I also found debian weak keys last year in active certs, aka 10 years later.
1 reply 0 retweets 4 likes -
of course you cannot possibly expect that a CA knows about all private keys available anywhere on the internet. it would be an idea to have a shared database of compromised keys (there's things like https://github.com/BenBE/kompromat where such keys are collected)
1 reply 0 retweets 2 likes -
Replying to @hanno @Scott_Helme
I figured as much. Since it's not really any secret, the following two keys have been used to obtain certificates by CAs (
@GoDaddy,@globalsign,@digicert): https://github.com/nodejs/node/blob/master/deps/npm/node_modules/node-gyp/test/fixtures/server.key …https://github.com/gruntjs/grunt-contrib-connect/blob/master/tasks/certs/server.key …1 reply 0 retweets 0 likes -
-
Replying to @hanno @Scott_Helme and
Ah, it looks like Twitter leaves the first link as a hyperlink, and the second one is made "prettier". The first is a nodejs link, the second is a gruntjs link.
1 reply 0 retweets 0 likes -
Thx, added to my kompromat repository. As nodejs contained several more keys it might take a bit, until I push the changes. P.S.: When you're done with notifying affected users of the initially mentioned key collection I'd be happy about a PR to add them too.
1 reply 0 retweets 2 likes -
Replying to @BenBE1987 @wdormann and
I checked all the nodejs keys, several of them are the same in different files, better filter out the duplicates.
1 reply 0 retweets 0 likes -
At least about 200 are within https://github.com/nodejs/node/blob/8c9aaacb333a0223243eda9b3551dbf26fdb260a/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey_ecc.txt … … Still at collecting and filtering them …
1 reply 0 retweets 0 likes -
Replying to @BenBE1987 @wdormann and
that looks like a bundled copy of openssl
1 reply 0 retweets 0 likes
As I look at my pile of CAs to contact, it's looking like I might need help with the best way to get through to each of them. Picking one off the top of the list as an example, how would one start with https://crt.sh/?caid=1663 and end up with an email address to notify?
-
-
You might be able to look it up via the CCADB (cf. https://ccadb.org/resources ). On https://ccadb-public.secure.force.com/mozilla/AllCAAIdentifiersReport … you find Sectigo to be responsible for the DOMENY. This gives us https://www.comodo.com/repository/Comodo_CA_CPS_4.1.8.pdf … as the CP (cf. links on CCADB page). Try to contact them and let them escalate. HTH.
0 replies 1 retweet 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.