Hi Ryan: As you wish. I will start an incident report. I do not believe there is a compliance failure here. Regards, Stephen
From: Ryan Sleevi <r...@sleevi.com> Sent: Monday, March 23, 2020 1:57 PM To: Stephen Davidson <stephen.david...@digicert.com> Cc: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org>; Matt Palmer <mpal...@hezmatt.org> Subject: Re: QuoVadis: Failure to revoke key-compromised certificates within 24 hours On Sun, Mar 22, 2020 at 10:03 PM Stephen Davidson via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: Hello: (Apologies if multiple copies of this are received. The initial send was bounced by mdsp.) Summary: The certificates noted in Matt Palmer's email below were not in his original problem report to QuoVadis. The certificates he reported were revoked in a time manner, and we acknowledged that additional certificates existed using the compromised private keys, and that they would be revoked as we identified them. The client was notified of these additional certificates this morning which are scheduled to be revoked tonight. Stephen: This seems like a valid incident report, and worth following up on in Bugzilla. Would you like to open one with your preliminary findings, or would you like me to create one to be filled in by QuoVadis? When it comes to reports of private key compromises, it seems the CA should be able to effectively determine the affected certificates (based on SPKI) and ensure these are all revoked in a timely fashion. Revoking some of them, but not all of them, seems like a BR violation. It may be there are facts or understanding that's missing, and an incident report can help identify those, as well as any root causes or systemic mitigations to be deployed. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy