On Sat, 6 Nov 2021 17:37:22 +0100 Hanno Böck <[email protected]> wrote:
> I recently discovered two certificates issued for a private key that > is part of the OpenSSL source code. Here's the key in question: > https://github.com/openssl/openssl/blob/master/test/certs/x509-check-key.pem > I am not sure if there should be an expectation that example/test keys > are blocked for certificate issuance. While it is certainly infeasible > to ask to do this for any possible software, it seems OpenSSL is > prominent enough that it's a relatively obvious thing to consider the > keys shipped with it as candidates for a blocklist. Idea: What if we set aside a handful of keys of each sort, as examples, publicising that software should use *these* examples unless it has good reason to do otherwise ? Think like RFC1918 addresses or the .example TLD or 555- prefix telephone numbers. We could then popularise these keys as, on the one hand, to be explicitly blacklisted in *production* Certificate Authorities (but not development or testing systems, since the example keys would be well suited to such tasks) and as especially good choices for example keys in documentation and software examples such as this OpenSSL file. Nick. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211204232548.4f514675%40totoro.tlrmx.org.
