Has anyone worked with a site/service like this that could help convey compromised keys between CAs?
https://pwnedkeys.com/submit.html -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Matt Palmer via dev-security-policy Sent: Thursday, March 19, 2020 7:05 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Is issuing a certificate for a previously-reported compromised private key misissuance? On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote: > On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > 2. If there are not explicit prohibitions already in place, *should* there > > be? If so, should it be a BR thing, or a Policy thing? > > https://github.com/cabforum/documents/issues/171 is filed to > explicitly track this. That said, I worry the same set of negligent > and irresponsible CAs will try to advocate for more CA discretion when > revocation, such as allowing the CA to avoid revoking when they’ve > mislead the community as to what they do (CP/CPS violations) or > demonstrated gross incompetence (such as easily detected spelling issues in > jurisdiction information). > > I would hope no CA would be so irresponsible as to try to bring that > up during such a discussion. I shall fire up the popcorn maker in preparation. > > 3. Can a CA be deemed to have "obtained evidence" of key compromise prior > > to the issuance of a certificate, via a previously-submitted key > > compromise problem report for the same private key? If so, it would > > seem that, even if the issuance of the certificate is OK, it is a > > failure-to-revoke incident if the cert doesn't get revoked within 24 > > hours... > > Correct, that was indeed the previous conclusion around this. The CA > can issue, but then are obligated to revoke within 24 hours. Excellent, thanks for that confirmation. Incident report inbound. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy