IIRC we recently passed a CABF ballot that the CPS must contain instructions for submitting problem reports in a specific section of its CPS, in an attempt to solve problems like this. This winter or early spring, if my memory is correct.
-Tim > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Alex Cohn via dev-security-policy > Sent: Wednesday, August 8, 2018 4:01 PM > To: ha...@hboeck.de > Cc: mozilla-dev-security-pol...@lists.mozilla.org; ssl_ab...@comodoca.com; > summern1...@gmail.com > Subject: Re: localhost.megasyncloopback.mega.nz private key in client > > On Wed, Aug 8, 2018 at 9:17 AM Hanno Böck <ha...@hboeck.de> wrote: > > > > > As of today this is still unrevoked: > > https://crt.sh/?id=630835231&opt=ocsp > > > > Given Comodo's abuse contact was CCed in this mail I assume they knew > > about this since Sunday. Thus we're way past the 24 hour in which they > > should revoke it. > > > > -- > > Hanno Böck > > https://hboeck.de/ > > > As Hanno has no doubt learned, the ssl_ab...@comodoca.com address > bounces. > I got that address off of Comodo CA's website at > https://www.comodoca.com/en-us/support/report-abuse/. > > I later found the address "sslab...@comodo.com" in Comodo's latest CPS, > and forwarded my last message to it on 2018-08-05 at 20:32 CDT (UTC-5). I > received an automated confirmation immediately afterward, so I assume > Comodo has now known about this issue for ~70 hours now. > > crt.sh lists sslab...@comodoca.com as the "problem reporting" address for > the cert in question. I have not tried this address. > > Comodo publishes at least three different problem reporting email addresses, > and at least one of them is nonfunctional. I think similar issues have come up > before - there's often not a clear way to identify how to contact a CA. Should > we revisit the topic? > > Alex > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
