No argument from me there. We generally act on them no matter what. Typically any email sent to supp...@digicert.com requesting revocation is forwarded to rev...@digicert.com. That's the standard procedure. This one was missed unfortunately.
-----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Daniel Marschall via dev-security-policy Sent: Thursday, May 9, 2019 4:16 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Reported Digicert key compromise but not revoked I personally do think that it matters to this forum. A CA - no matter what kind of certificates it issues - must take revocation requests seriously and act immediately, even if the email is sent to the wrong address. If an employee at the help desk is unable to forward revocation requests, or needs several weeks to reply, then there is something not correct with the CA, no matter if the revocation request is related to a web certificate or code signing certificate. That's my opinion on this case. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
