The certificate has been revoked. The bounce issue has been escalated to resolve. Regards,
From: Alex Cohn <a...@alexcohn.com> Sent: Wednesday, August 08, 2018 5:01 PM To: ha...@hboeck.de Cc: summern1...@gmail.com; mozilla-dev-security-pol...@lists.mozilla.org; #SSL_ABUSE <ssl_ab...@comodoca.com> Subject: Re: localhost.megasyncloopback.mega.nz private key in client On Wed, Aug 8, 2018 at 9:17 AM Hanno Böck <ha...@hboeck.de<mailto:ha...@hboeck.de>> wrote: As of today this is still unrevoked: https://crt.sh/?id=630835231&opt=ocsp Given Comodo's abuse contact was CCed in this mail I assume they knew about this since Sunday. Thus we're way past the 24 hour in which they should revoke it. -- Hanno Böck https://hboeck.de/ As Hanno has no doubt learned, the ssl_ab...@comodoca.com<mailto:ssl_ab...@comodoca.com> address bounces. I got that address off of Comodo CA's website at https://www.comodoca.com/en-us/support/report-abuse/. I later found the address "sslab...@comodo.com<mailto:sslab...@comodo.com>" in Comodo's latest CPS, and forwarded my last message to it on 2018-08-05 at 20:32 CDT (UTC-5). I received an automated confirmation immediately afterward, so I assume Comodo has now known about this issue for ~70 hours now. crt.sh lists sslab...@comodoca.com<mailto:sslab...@comodoca.com> as the "problem reporting" address for the cert in question. I have not tried this address. Comodo publishes at least three different problem reporting email addresses, and at least one of them is nonfunctional. I think similar issues have come up before - there's often not a clear way to identify how to contact a CA. Should we revisit the topic? Alex _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy