I threw together a quick Go library for using this API to see how it works in a larger app.
https://github.com/adamdecaf/pwnedkeys On Wed, Dec 19, 2018 at 3:34 AM Matt Palmer via dev-security-policy < [email protected]> wrote: > On Wed, Dec 19, 2018 at 11:30:47AM +0100, Kurt Roeckx via > dev-security-policy wrote: > > I'm not sure how you feel about listing keys where you don't have the > > private key for, but are known to be compromised anyway. One potential > > source for such information might be CRLs where the reason for revocation > > was keyCompromise. > > At *this* stage, I'm really only interested in providing proof of key > exposure, via signatures. Just listing keys and saying "trust me, these > are > compromised" just seems... weak, somehow. Also, trawling revocation lists > for keys requires matching up the issuer+serial number to a cert in another > store (since CRLs only record serial numbers), which is just *annoying*. > > > If you don't want to publish the private keys, distributing the public > keys > > might be an option. > > For a "bulk" export, yes, that is a possibility. > > - Matt > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
