On Sun, 5 Dec 2021 12:51:02 -0500 "'Jan Schaumann' via [email protected]" <[email protected]> wrote:
> I can all but guarantee you that these keys would end > up being used in production environments, in some > cases in environments where people have no control > over changing them (e.g., IoT). This seems fine? With well-known test keys, such environments have an obvious defect which can be mechanically detected, reducing the chance that this goes undetected (e.g. checks you aren't using OpenSSL test keys, but in fact you have NSS test keys) For Mozilla's core audience, we'd reduce the risk of test keys getting certificates in the Web PKI by making them well-known and explicitly forbidding CAs from issuing for them. We know this has happened before, it happened in the incident I'm replying to, and it will happen again, let's make it less often. If the problem is "But we're so sloppy we use test keys and never notice" you already have a grave problem, it was not made worse by the test keys being the same across a dozen systems, just easier to detect and thus, perhaps, to rectify. Nick. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211206122356.4f08e350%40totoro.tlrmx.org.
