Hello: (Apologies if multiple copies of this are received. The initial send was bounced by mdsp.)
Summary: The certificates noted in Matt Palmer's email below were not in his original problem report to QuoVadis. The certificates he reported were revoked in a time manner, and we acknowledged that additional certificates existed using the compromised private keys, and that they would be revoked as we identified them. The client was notified of these additional certificates this morning which are scheduled to be revoked tonight. Detail: An email was received from Matt Palmer on Friday 3/20/2020 at 12:05 AM AST reporting compromised private keys for certificates with the following SPKI fingerprints. 6ca25b96d613ed380d4285a450b1737346ab167bb32dcd8289f4bb9445e4521f 051c7cd46144458d508021dd721460b718c8bf5b3a4a20cfb2a7d9dd1f25470e 1737e8265beefa81310deaacb8e957231fc412f1babb5c3b4fe59b0dcae09cf7 1e71edcb5c1c93180ce063cb50e11ea5867638ec8af9f0be39c8da618e41dd3a 37c5f57216ce204702c60587e0f0b6c821f9ebb145129a780512f444e48d79fe 4a92dfd0de92af47e2a0b90f50854316bb07cc58ceb5dd82f817de51f7f8851d 5eef28fbfe1e59b19d4b7db546d95701ea618aef0ed355a2b7f41ebaf5bd07d7 7cf87d510b4bd8899ea9c48956e8fdc6893778c613148fd174d7d1a030797dc1 8317e90c1fcc6398b4530554d298a4d9268ca115806e231a1b7e9744930ea535 84adaec99f45eb4412fab4b4553670c56e920d998d7bc7611193568f88a000a0 91c1befee55e20f7d972aef5305083cf4ee0c9c951e17516fcfe51a372450839 9f6d02a745bfcc796d3270ed25f5a01654d503f464f50d2274c297b58567193e aad925a8b38626c0b16eeb6e7d4aba571bd4f0d0232a34b9315c1034920b451e bec0799a6122e65be89ca6f992b62ef71c3d1c566fd7d55438d88a75d685436f bf7ee7afb5a618e9c67ef188f6ccb9f9a1d909b0e3958ad860b32d4db9cd181d c39395e26c5401740fc4d3aef6feab97dda7509be7608b4029d7ea08b33c46d5 cc10498794c701df174e7cdeaeaa15c891f9b8ec8babe58138ae3fffc3b720cc d03309be836b28243fa9a3a97d0e8d85ebe9e4a93e21f8842e261550f042f78d da443e4cadd5109e564676ade6140a3f18ce36550be207006d672e808f9fdf17 dbc3dc447144ad3d9da596527fa8dfb86e6b4d7dc2919ea5b45c91679e250619 e5582b0b3dc60008bacc27e484934439c1a4ba12b328ed45e9628772ff40f1b8 ea87fa7963c0c97c98a6595da74ce650325eeb8d8d44c1aabf2239db376b3412 ebc35ec62cb941ada24fd53376c80bb76650aeab27e969174978e848adb5a776 A response was sent by QuoVadis to Matt Palmer on Saturday 3/20/2020 at 10:05 AM AST stating "We acknowledge receipt of your problem report relating to the below certificates this morning. We will investigate the certificates and, if they are found to be noncompliant, will revoke the certificates within the stipulated 24 hours. We will update you with the outcome at that time." Following investigation and coordination with the customers, the certificates were revoked late on Saturday evening. A response was sent by QuoVadis to Matt Palmer on Saturday 3/21/2020 at 12:07 AM AST stating "These certificates have been revoked. In the process, I identified some additional certificates which share certain of these Public Keys. I require additional assistance to research this thoroughly, which will take place tomorrow. Additional certificates we identify will be revoked in a further 24 hr cycle." We notified the clients of these additional certificates this morning, and they will be revoked later tonight. Many thanks, Stephen QuoVadis -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Matt Palmer via dev-security-policy Sent: Sunday, March 22, 2020 2:23 AM To: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org> Subject: QuoVadis: Failure to revoke key-compromised certificates within 24 hours Three certificates were reported as having private keys which had been publicly disclosed, by e-mailing complia...@quovadisglobal.com at 2020-03-20 03:05:14 UTC. E-mail was received by a QuoVadis server at 2020-03-20 03:05:18 UTC. As of 2020-03-22 05:17:37, OCSP still shows all of these certificates as being "Good". The unrevoked certificates are: https://crt.sh/?id=2605016622 https://crt.sh/?id=1757153116 https://crt.sh/?id=1432019792 Interestingly, at least one other certificate using the same private key as each of the above certificates, and also issued by QuoVadis, are now showing as revoked, suggesting that (a) QuoVadis did indeed consider the private keys as compromised, and (b) there are no caching or delayed publishing issues at play here. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy