On 07/03/2020 23:57, Matt Palmer via dev-security-policy wrote:
<snip>
As further independent confirmation, the crt.sh page for the certificate
shows that crt.sh *also* identifies the certificate as having a Debian weak
key. My understanding is that crt.sh uses a database of keys that was
independently generated by the operator of the crt.sh service.
For the crt.sh check, I augmented Debian's original blacklists with some
other blacklists I generated ~12yrs ago for a few less common key sizes
[1]. See also [2].
[1] https://secure.sectigo.com/debian_weak_keys/
[2]
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg10060.html
- Matt
--
Rob Stradling
Senior Research & Development Scientist
Email: r...@sectigo.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy