Ask HN: Why would a CA revoke a cert with a public private key?

3 points by JakaJancar 1 year ago | 6 comments

To get working HTTPS on localhost, something I have done in the past is:

  - register myproject.dev,
  - point it to 127.0.0.1,
  - create a cert for it, and
  - just store the private key in the repo.

Every coworker can check out the (private) repo and has working HTTPS without any fuss or configuration.

There are projects like https://lcl.host, but they require installing stuff on the machine and/or modifying the browser trust configuration.

Why has nobody just registered a similar domain like lcl.host, pointed it to 127.0.0.1, and published the private key for everyone to use?

Would the CA revoke this cert? Why? Doesn't the domain owner get to define the set of servers they allow to use the cert, and if that set just happens to be everyone, so what?

Is this "there are limits to how wide you can distribute your private key" policy documented somewhere?

Looking at digicert[1], if a revocation request is submitted, the owner must approve it. What happens if I just don't approve it?

[1]: https://docs.digicert.com/en/certcentral/manage-certificates/revoke-an-issued-ssl-tls-certificate/approve--or-reject--a-certificate-revocation-request.html

leftbehind 1 year ago |

IIRC, if you have a private key you can be able to force a revocation regardless of what the owner wants. In some such as Let's Encrypt it is fully automated.

If this is a repo private, you should be realize it with a private CA that you import or is on every corp machine.

Baseline Requirements force a revocation within x hours on key disclosure.

JakaJancar 1 year ago | |

HN comes through in 10 min :)

I didn't know about CA/Browser forum and the Baseline Requirements. Thanks, will check it out!

// Edit: Relevant section:

The Subscriber Agreement or Terms of Use MUST contain provisions imposing on the Applicant [..] the following obligations and warranties:

[...]

Protection of Private Key: An obligation and warranty by the Applicant to take all reasonable measures to assure control of, keep confidential, and properly protect at all times the Private Key [...]

leftbehind 1 year ago | | |

> Looking at digicert[1], if a revocation request is submitted, the owner must approve it. What happens if I just don't approve it?

So in this case, this is the happy-case where you as the owner wish to simply realize the cancellation a cert that you are no longer using.

A different workflow applies, such that you have the private key you instead send a POST to 'https://problemreport.digicert.com/api/keys/compromised' with the private key in the JSON body and it will be queued. It is mandatory Baseline Requirements wise to cancel the certificate within 24 hours in the compromised case - usually instant if the pk matches cert - with the expectation that of course the owner will not go this route.

akerl_ 1 year ago |

This is the kind of message board logic that doesn’t actually work in the real world.

The CA has to answer to the CAB if they want to stay in browser trust stores, and quite clearly a private key that’s posted publicly has been disclosed.

aiaiaiaiaiai 1 year ago |

Why doesn't the browser treat local loopback as secure network communication? Would save all the nonsense. Cant get more secure than not sending data over the network!