I also was going to point out that these are probably [at least] three different concepts:
1. There are untrusted / revoked / distrusted root and/or intermediate CERTIFICATES. 2. There are KEYS which have been COMPROMISED (known/published/demonstrated public -> private key mapping) which are unsuitable for any use in any certificate in the WebPKI. 3. There are KEYS which are algorithmically WEAK and are unsuitable for any use in any certificate in the WebPKI. Of the latter two, there is much overlap as researchers have published some lists of instances of the third case as specific examples, which makes them also fit in the 2nd case. Importantly, it is likely that the person asking the question likely needs to separately consider certificates which are unknown/untrusted/revoked and keys which are bad for one of a number of reasons. On Fri, Jan 12, 2024 at 3:33 PM Matt Palmer <[email protected]> wrote: > On Tue, Jan 09, 2024 at 11:16:59AM -0500, 'Jan Schaumann' via > [email protected] wrote: > > Either way, it would be useful to have a community > > shared list of known compromised keys or otherwise > > revoked roots or intermediates. Does that already > > exist? > > For known-compromised keys, there's https://pwnedkeys.com. > > - Matt > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7af92426-fd46-49c0-b6d5-c18a258fc4d9%40mtasv.net > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59Gaxec6uXVTySpSivPQrohWmg4RsGNVYZYAZJbAQockhg%40mail.gmail.com.
