by leftbehind on 9/25/2024, 12:01:03 AM
IIRC, if you have a private key you can be able to force a revocation regardless of what the owner wants. In some such as Let's Encrypt it is fully automated.
If this is a repo private, you should be realize it with a private CA that you import or is on every corp machine.
Baseline Requirements force a revocation within x hours on key disclosure.
by akerl_ on 9/25/2024, 12:10:05 AM
This is the kind of message board logic that doesn’t actually work in the real world.
The CA has to answer to the CAB if they want to stay in browser trust stores, and quite clearly a private key that’s posted publicly has been disclosed.
by aiaiaiaiaiai on 9/25/2024, 12:34:17 PM
Why doesn't the browser treat local loopback as secure network communication? Would save all the nonsense. Cant get more secure than not sending data over the network!
There are projects like https://lcl.host, but they require installing stuff on the machine and/or modifying the browser trust configuration.
Why has nobody just registered a similar domain like lcl.host, pointed it to 127.0.0.1, and published the private key for everyone to use?
Would the CA revoke this cert? Why? Doesn't the domain owner get to define the set of servers they allow to use the cert, and if that set just happens to be everyone, so what?
Is this "there are limits to how wide you can distribute your private key" policy documented somewhere?
Looking at digicert[1], if a revocation request is submitted, the owner must approve it. What happens if I just don't approve it?
[1]: https://docs.digicert.com/en/certcentral/manage-certificates/revoke-an-issued-ssl-tls-certificate/approve--or-reject--a-certificate-revocation-request.html