Before I reinvent any wheels, are there already any tools that can help automate the reporting of compromised keys to respective CAs? That is, given a key present in either https://crt.sh/?q= (certificate hash) https://crt.sh/?spkisha256= (key hash) show the proper contact info.
-
-
Dump them on Twitter and tag the respective CAs. The certs are already compromised. Public disclosure would surely be the fastest way to get them revoked.
1 reply 0 retweets 1 like -
This would still require a mapping from CA to twitter handle. I currently have a list of 38 different CAs that need to be contacted in some way.
1 reply 0 retweets 0 likes -
Ah, ok. I guess you can use Twitter for CAs that you can find on Twitter, and mozilla-dev-security-policy for the rest. There should definitely be more standardization regarding key revocation.
1 reply 0 retweets 1 like -
Right. Given a pile of about 100 compromised keys that were issued by 38 different CAs, how would you automate the revocation process? Automation being important so as to be scalable. e.g. what if it were 1000 CAs?
2 replies 2 retweets 1 like -
The CA/B forum baseline requirements should require that every CA registers an automated certificate revocation endpoint that takes cert keypairs as input. Are there any standardization efforts working towards something like this?
1 reply 0 retweets 1 like -
0 replies 0 retweets 0 likes
Sadly, the info used in section 1.5.2 of CPS isn't always accurate. Some don't include an email address. And some list an email address that apparently isn't used for reporting certificate problems. e.g. when contacting the @SectigoHQ (formerly Comodo) address, you get this:pic.twitter.com/OiL7Yw18xQ
-
-
Oh, and the one that included no email address in 1.5.2 (not sure if that's a requirement?) is
@register_com https://crt.sh/?caid=91 http://ca.register.com/repository/Register_CPS.pdf …pic.twitter.com/wVt6rK8zb3
2 replies 0 retweets 0 likes - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.