On Sat, 21 Mar 2020 09:25:26 +1100 Matt Palmer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> These two certificates: > > https://crt.sh/?id=2602048478&opt=ocsp > https://crt.sh/?id=2601324532&opt=ocsp > > Were issued by Let's Encrypt more than 24 hours ago, and remain > unrevoked, despite the revocation of the below two certificates, > which use the same private key, for keyCompromise prior to the above > two certificates being issued: > > https://crt.sh/?id=2602048478&opt=ocsp > https://crt.sh/?id=2599226028&opt=ocsp > > As per recent discussions here on m.d.s.p, I believe this is a breach > of BR s4.9.1.1. > Hi Matt, I haven't looked at the substance of your concern yet, but the 1st and 3rd links you gave above both look identical to me whereas your text implies they should differ. Perhaps this is a copy-paste error? Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
