On Mon, Mar 23, 2020 at 02:02:18AM +0000, Stephen Davidson via dev-security-policy wrote: > Summary: The certificates noted in Matt Palmer's email below were not in > his original problem report to QuoVadis.
While this may be true in an extremely narrow and literal sense, I don't believe this is a reasonable description of the situation. It is true that I did not list the certificates that QuoVadis failed to revoke in my certificate problem report. However, I did not list *any* certificates in my initial problem report. Despite that, QuoVadis were able to revoke a number of certificates based on the information I did provide, including other certificates with the same public key to those that they did not revoke. What I did provide was a list of SPKI fingerprints of private keys in my possession, along with a method of constructing crt.sh URLs which could be used to lookup impacted certificates by SPKI fingerprint and a method of constructing URLs which would provide CSR-format attestations of compromise. This appeared to be sufficient for QuoVadis to revoke the vast majority of the certificates impacted, and I do not have any record of QuoVadis objecting to the form or substance of the information I provided. > The certificates he reported > were revoked in a time manner, and we acknowledged that additional > certificates existed using the compromised private keys, and that they > would be revoked as we identified them. I'm not sure that "we know there are more here somewhere, we'll revoke them as we find them, and we'll take 24 hours from when we find them to do it" meets the letter of the BRs, let alone the spirit. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
