Thanks. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1619359 to track this
On Mon, Mar 2, 2020 at 2:59 AM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Between 26 Feb 2020 00:48:11 UTC and 26 Feb 2020 21:10:18 UTC, I sent three > Certificate Problem Reports to sslab...@sectigo.com, reporting that > certificates issued by then were using keys which have been compromised due > to being publicly disclosed. As of the time of writing, I have not > received > a preliminary report of Sectigo's findings, as I believe is required by > section 4.9.5 of the Baseline Requirements. > > In each case, I received an auto-acknowledgement e-mail containing a case > number, which indicates that Sectigo did, in fact, receive my problem > report. > > Due to a mistake on my part, the evidence I provided to Sectigo was not > sufficient to verify that the key was in fact compromised, so I am not > claiming that Sectigo has fallen foul of BR s4.9.1.1. However, as BR > s4.9.5 > require a report to be provided within 24 hours, I still believe Sectigo > has an operational deficiency which requires investigation. > > The times of the e-mails I sent, the Sectigo case number I received in > response, and the further responses I have received from Sectigo, if any, > are detailed below. All times are taken from the `Date` header of the > relevant e-mail, adjusted to UTC if required. > > Case #00572387 > https://crt.sh/?id=2455920199 > Sent: 26 Feb 2020 00:48:11 +0000 > Auto-ack: 26 Feb 2020 00:48:24 +0000 > > At 27 Feb 2020 19:15:10 +0000, I received an e-mail purporting to be from > Sectigo Security, quoting my initial report, and saying "we will look > into > this right away". Note that even this response, which I do not consider > qualifies as a "preliminary report", was sent over 24 hours after the > initial problem report. > > No further response has been received since then. > > > Case #00572465 > https://crt.sh/?id=2413850414 > Sent: 26 Feb 2020 05:07:34 +0000 > Auto-ack: 26 Feb 2020 05:07:45 +0000 > > No further response has been received since the auto-acknowledgement. > > > Case #00573105 > https://crt.sh/?id=683622319 > Sent: Wed, 26 Feb 2020 21:10:18 +0000 > Auto-ack: Wed, 26 Feb 2020 21:10:32 +0000 > > No further response has been received since the auto-acknowledgement. > > - Matt > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy