Trying to understand why signing with these keys is considered full disclosure?
On Sun, Nov 10, 2024 at 5:12 PM 'Job Snijders' via dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> wrote: > Dear Matt, > > On Sun, Nov 10, 2024 at 10:02:43PM +0000, Matt Palmer wrote: > > On Sun, Nov 10, 2024 at 08:52:49AM -0800, Aaron Gable wrote: > > > Thanks for running this important service! > > Yes, very cool work. > > > > Given that these private keys are already compromised, why is the > > > revokinator's storage solution so important as to preclude > > > implementing the only (as far as I'm aware) IETF-standardized > > > compromise reporting mechanism? > > > > For much the same reason that full-disc isn't the standard way of > > reporting software security vulnerabilities. While the keys are > > compromised, in the sense that someone other than the legitimate user > > of the key has a copy of them, they aren't necessarily universally > > known to every bad actor. > > > > Given that I've got keys that have, at times in the past, been for > > certificates with sANs like "*.gov.<ccTLD>", I don't feel it is > > appropriate to leave those private keys in a centralised location for > > any miscreant with a penchant for network interception to grab en > > masse and use as they desire. Hence, all private keys are stored > > offline and encrypted, in a deliberately not-easy-to-access form. > > > > I shall augment the FAQ to make this more clear. > > You seem to take an attentive and careful position on this problem > space. > > I read your message as that you consider the compromised keys to be > "not yours to use", which to me seems very reasonable. > > Kind regards, > > Job > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZzEv2Rhtbf8RuCib%40fast > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAOG%3DJUKv-6X8NmahZS9e9ufOFwcbaZa%3DVBe%2B15OxF-MDykWpjw%40mail.gmail.com.
