On 19/12/2018 20:09, Rob Stradling via dev-security-policy wrote:
I'm wondering how I might add a pwnedkeys check to crt.sh. I think I'd prefer to have a table of SHA-256(SPKI) stored locally on the crt.sh DB.
Yes, I think the right approach for an upstream source is to provide a big list of hashes. People can then postprocess that into whatever database or filter format they want. For example, this is how Pwned Passwords does things, and I wrote a bloom filter implementation to import that for production usage (with parameters tuned for my personal taste of false positive rate, etc).
-- Hector Martin "marcan" Public key: https://mrcn.st/pub _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
