Between 26 Feb 2020 00:48:11 UTC and 26 Feb 2020 21:10:18 UTC, I sent three Certificate Problem Reports to sslab...@sectigo.com, reporting that certificates issued by then were using keys which have been compromised due to being publicly disclosed. As of the time of writing, I have not received a preliminary report of Sectigo's findings, as I believe is required by section 4.9.5 of the Baseline Requirements.
In each case, I received an auto-acknowledgement e-mail containing a case number, which indicates that Sectigo did, in fact, receive my problem report. Due to a mistake on my part, the evidence I provided to Sectigo was not sufficient to verify that the key was in fact compromised, so I am not claiming that Sectigo has fallen foul of BR s4.9.1.1. However, as BR s4.9.5 require a report to be provided within 24 hours, I still believe Sectigo has an operational deficiency which requires investigation. The times of the e-mails I sent, the Sectigo case number I received in response, and the further responses I have received from Sectigo, if any, are detailed below. All times are taken from the `Date` header of the relevant e-mail, adjusted to UTC if required. Case #00572387 https://crt.sh/?id=2455920199 Sent: 26 Feb 2020 00:48:11 +0000 Auto-ack: 26 Feb 2020 00:48:24 +0000 At 27 Feb 2020 19:15:10 +0000, I received an e-mail purporting to be from Sectigo Security, quoting my initial report, and saying "we will look into this right away". Note that even this response, which I do not consider qualifies as a "preliminary report", was sent over 24 hours after the initial problem report. No further response has been received since then. Case #00572465 https://crt.sh/?id=2413850414 Sent: 26 Feb 2020 05:07:34 +0000 Auto-ack: 26 Feb 2020 05:07:45 +0000 No further response has been received since the auto-acknowledgement. Case #00573105 https://crt.sh/?id=683622319 Sent: Wed, 26 Feb 2020 21:10:18 +0000 Auto-ack: Wed, 26 Feb 2020 21:10:32 +0000 No further response has been received since the auto-acknowledgement. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
