Matt, Voluntarily providing CSR is not an ideal way to prove key compromise, because you could've simply found this CSR somewhere (I know, I know, super unlikely with your Subject... but still could happen.)
And while "compromised" is way too short (one can sign up to 32 bytes using it as a nonce in regular TLS session) to prove the key compromise, in the absence of the actual compromised private key, about the only way to ensure the possession is to get the reporter to sign some data chosen by the CA. It very well may be a random CN in the CSR, or plain old openssl dgst. On Monday, 9 March 2020 23:26:26 UTC+1, Matt Palmer wrote: > Hi Joanna, > > Thanks for responding. When can this list, or Bugzilla, expect GoDaddy's > incident report? Also, for the avoidance of further doubt, can you give an > exact timestamp at which GoDaddy considers that evidence of key compromise > was "obtained" for this certificate? > > - Matt > > On Mon, Mar 09, 2020 at 01:46:17PM -0700, Joanna Fox via dev-security-policy > wrote: > > Matt, > > > > Thank you for sharing your experience with our problem reporting mechanism > > on this forum. It is due to this that we were able to get to the root of > > the issue. Here is some detail into what we saw. > > > > Yesterday, we launched an investigation which included various members of > > the team researching this issue. We took this investigation as far as we > > could with the information we had and concluded that the CSR provided, as > > we read it, was malformed. We ran this CSR through various tools but were > > unable to successfully confirm validity. > > > > This morning, based on the statements in this forum, we discovered that our > > email system had misinterpreted the CSR formatting due to it being pasted > > in the body of the email. When we fix Base64 encoding, the CSR verifies. > > > > Upon this discovery we have initiated revocation to occur within the > > guidelines of 24 hours from obtaining evidence that the private key was > > compromised. We take key compromises very seriously and recognize the > > importance to the industry and health of the ecosystem. > > > > Lastly, we also noticed that the email you received was malformed, missing > > some of the required content for the OpenSSL command. This event has led > > to a review of our email system to learn how we can avoid malformed > > encoding issues in the future. > > > > Thank you, > > Joanna Fox > > GoDaddy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
