Hi everyone, As some eagle-eyed CAs may have noticed, I've revamped and restarted the Pwnedkeys Revokinator, which matches compromised keys from the Pwnedkeys dataset against issued WebPKI certificates, and sends compromise attestations to the issuing CAs.
The major change from last time I was running the Revokinator is that I have no intention of trawling the revocation status information looking for violations of the BRs. CAs are free to ignore the notifications that Revokinator sends (as a representative of one CA has hinted may occur if I don't follow their specific manual processes to generate evidence in their preferred format), without fear of incident reports being filed by me. Instead, I have stood up a site, at https://pwnedkeys.com/revokinator, that is intended to be the one-stop shop for displaying all of the information that the Revokinator has about compromised certificates, compromise notifications, OCSP checks, and so on. Anyone who wants to trawl that data looking for BR and policy violations may do so, and create incidents as they see fit. The complete database schema describing what is being recorded by the Revokinator is available at https://pwnedkeys.com/revokinator/db-schema. The current information being displayed is very incomplete, and serves more as a demonstration of how to write extract/display functions than a complete dump of available information. The codebase is publicly available at https://github.com/pwnedkeys/revokinator-site, so if you're keen to be able to see more of the Revokinator's data, submit PRs. There is an FAQ about the Revokinator at https://pwnedkeys.com/revokinator/faq that gives details about how the Revokinator works, and various other pieces of information that may be of interest. Of particular note to CAs, there are instructions on how CAs may receive notifications by means other than email. They may wish to consider implementing that route in the near future, as at some point I will be running a script to match the backlog of compromised certificates and bulk-submit them to CAs, which may put significant load on whoever sits on the problem report mailbox. Finally, I don't intend for mdsp to become the Revokinator announcements list, so if you wish to receive future updates about improvements to the Revokinator as they're released, I'd suggest subscribing to the Pwnedkeys newsletter (https://pwnedkeys.com/newsletter/subscribe), where future announcements will be posted. - Matt -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/695ca8fc-a4cd-42cf-b589-de3f3e854727%40mtasv.net.
