On Sun, Mar 22, 2020 at 07:47:49AM +0100, Hanno Böck via dev-security-policy wrote: > FWIW: Given that with the private key it's easily possible to revoke > certificates from Let's Encrypt I took the key yesterday and iterated > over all of them and called the revoke command of certbot.
Yes, I play revocation whack-a-mole every day or two. I hammer crt.sh's pgsql replicas each time to get an up-to-date list of all new certs with keys in the pwnedkeys database, and do the needful. > I strongly recommend Let's Encrypt (and probably all other CAs) > blacklists that key if they haven't already done so. That'll always be the dream... but since at least one CA can't seem to prevent a customer from getting a new certificate for the same key *while they're revoking a cert for the same name with the same key because it's compromised*, I think it's going to take a BR change that forbids reusing a reported-compromised key before CAs bake in any sort of sensible key blacklisting. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
