Agree, regardless of 4.9.5's investigation gap, in this case 4.9.1.1(3) clearly applies as well as other clauses. At this point, revocation is less harm than the key compromise. It may be an effective way to get the message to the affected device operators who have not replaced the default certificate with a purchased one.
Kind regards, Steven Medin PKI Policy Manager, Symantec Corporation -----Original Message----- From: Jeremy Rowley [mailto:jeremy.row...@digicert.com] Sent: Tuesday, September 06, 2016 7:06 PM To: Steve Medin <steve_me...@symantec.com> Cc: Gervase Markham <g...@mozilla.org>; Kyle Hamilton <aerow...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Compromised certificate that the owner didn't wish to revoke (signed by GeoTrust) BRs require revocation within 24 hours of notice. It's a terrible timeline but one the browsers have strictly enforced for even wide spread deployments. > On Sep 6, 2016, at 4:30 PM, Steve Medin <steve_me...@symantec.com> wrote: > > We have become aware of this certificate and its key compromise, thank you > for this information. We are contacting the owner to understand impact to > the deployed devices, but with clear intent to revoke. We will provide > updates while we make progress. > > Kind regards, > Steven Medin > PKI Policy Manager, Symantec Corporation > > > > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+steve_medin=symantec.com@lists.mozilla.o > rg] On Behalf Of Gervase Markham > Sent: Tuesday, September 06, 2016 2:02 PM > To: Kyle Hamilton <aerow...@gmail.com>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Compromised certificate that the owner didn't wish to revoke > (signed by GeoTrust) > >> On 06/09/16 18:25, Kyle Hamilton wrote: >> Aruba chose not to notify GeoTrust that it needed to be revoked due to >> compromised private key. I am notifying because I believe it >> violates the Basic Requirements for someone other than the identified >> subject to possess the private key for a publicly-trusted certificate. > > It does; have you notified GeoTrust using whatever mechanism they make > available for such notifications? They are supposed to have one, according > to the BRs. I'm not sure posting here would count. > > Gerv > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy