Hanno Böck <[email protected]> writes: >I am not sure if there should be an expectation that example/test keys are >blocked for certificate issuance. While it is certainly infeasible to ask to >do this for any possible software, it seems OpenSSL is prominent enough that >it's a relatively obvious thing to consider the keys shipped with it as >candidates for a blocklist.
Is there some recommended way to identify public keys corresponding to well- known private keys? For example a list of SHA-1 fingerprints of the SPKIs of various not-private-any-more keys? If there was an open-source list somewhere it'd make it easy to maintain a blacklist in implementations. In terms of identifying dubious certs, it might also be useful to check for DN components from OpenSSL test certs, I don't know how many of those I've seen where the devs have just done whatever's necessary to make the errors go away. Peter. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SY4PR01MB62515B02384FC2D23B6FEF3BEE969%40SY4PR01MB6251.ausprd01.prod.outlook.com.
