Certificate https://crt.sh/?id=2606438724, issued either at 2020-03-21 00:00:00 UTC (going by notBefore) or 2020-03-21 01:56:31 UTC (going by SCTs), is using a private key with SPKI 4310b6bc0841efd7fcec6ba0ed1f36e7a28bf9a707ae7f7771e2cd4b6f31b5af, which was reported to Digicert as compromised on 2020-03-20 02:05:49 UTC (and for which https://crt.sh/?id=1760024320 was revoked for keyCompromise soon after certificate 2606438724 was issued).
As previously discussed on this list, the visible consensus is that, according to the BRs, certificates for which the CA already had evidence of key compromise must be revoked within 24 hours of issuance. That 24 hour period has passed for the above certificate, and thus it would appear that Digicert has failed to abide by the BRs. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
