RE: Is issuing a certificate for a previously-reported compromised private key misissuance?

Thu, 19 Mar 2020 05:50:14 -0700 

Has anyone worked with a site/service like this that could help convey 
compromised keys between CAs?

     https://pwnedkeys.com/submit.html



-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On 
Behalf Of Matt Palmer via dev-security-policy
Sent: Thursday, March 19, 2020 7:05 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Is issuing a certificate for a previously-reported compromised 
private key misissuance?

On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote:
> On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < 
> dev-security-policy@lists.mozilla.org> wrote:
> > 2. If there are not explicit prohibitions already in place, *should* there
> >    be?  If so, should it be a BR thing, or a Policy thing?
> 
> https://github.com/cabforum/documents/issues/171 is filed to 
> explicitly track this. That said, I worry the same set of negligent 
> and irresponsible CAs will try to advocate for more CA discretion when 
> revocation, such as allowing the CA to avoid revoking when they’ve 
> mislead the community as to what they do (CP/CPS violations) or 
> demonstrated gross incompetence (such as easily detected spelling issues in 
> jurisdiction information).
> 
> I would hope no CA would be so irresponsible as to try to bring that 
> up during such a discussion.

I shall fire up the popcorn maker in preparation.

> > 3. Can a CA be deemed to have "obtained evidence" of key compromise prior
> >    to the issuance of a certificate, via a previously-submitted key
> >    compromise problem report for the same private key?  If so, it would
> >    seem that, even if the issuance of the certificate is OK, it is a
> >    failure-to-revoke incident if the cert doesn't get revoked within 24
> >    hours...
> 
> Correct, that was indeed the previous conclusion around this. The CA 
> can issue, but then are obligated to revoke within 24 hours.

Excellent, thanks for that confirmation.  Incident report inbound.

- Matt

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to