RE: Reported Digicert key compromise but not revoked

Thu, 09 May 2019 16:14:15 -0700 

Thanks Wayne. We’ll update our CPS to keep it clear.

 

From: Wayne Thayer <wtha...@mozilla.com> 
Sent: Thursday, May 9, 2019 5:04 PM
To: Andrew Ayer <a...@andrewayer.name>
Cc: Jeremy Rowley <jeremy.row...@digicert.com>; Jeremy Rowley via 
dev-security-policy <dev-security-policy@lists.mozilla.org>
Subject: Re: Reported Digicert key compromise but not revoked

 

DigiCert CPS section 1.5.2 [1] could also more clearly state that 
rev...@digicert.com <mailto:rev...@digicert.com>  is the correct address for 
'reporting suspected Private Key Compromise, Certificate misuse, or other types 
of fraud, compromise, misuse, inappropriate conduct, or any other matter 
related to Certificates.' Since both email addresses are listed in that 
section, it's not difficult to mistake supp...@digicert.com 
<mailto:supp...@digicert.com>  as the problem reporting mechanism, even though 
the last sentence in 1.5.2.1 implies that rev...@digicert.com 
<mailto:rev...@digicert.com>  is for problem reporting. 

 

- Wayne

 

[1] https://www.digicert.com/wp-content/uploads/2019/04/DigiCert_CPS_v418.pdf

 

On Thu, May 9, 2019 at 3:46 PM Andrew Ayer via dev-security-policy 
<dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> > wrote:

On Thu, 9 May 2019 14:47:05 +0000
Jeremy Rowley via dev-security-policy
<dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> > wrote:

> Hi Han - the proper alias is rev...@digicert.com <mailto:rev...@digicert.com> 
> . The support alias
> will sometimes handle these, but not always.

Is that also true of SSL certificates?  supp...@digicert.com 
<mailto:supp...@digicert.com>  is listed
first at
https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport

That should be fixed if supp...@digicert.com <mailto:supp...@digicert.com>  is 
not the right place to
report problems with SSL certificates.

Regards,
Andrew
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> 
https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to