I've created a bug to track this issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1625715
- Wayne On Thu, Mar 26, 2020 at 11:33 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > At 2020-03-20 03:02:43 UTC, I sent a notification to sslab...@sectigo.com > that certificate https://crt.sh/?id=1659219230 was using a private key > with > SPKI fingerprint > 4c67cc2eb491585488bab29a89899e4e997648c7047c59e99a67c6123434f1eb, which was > compromised due to being publicly disclosed. My e-mail included a link to > a > PKCS#10 attestation of compromise, signed by the key at issue. An MX > server > for sectigo.com accepted this e-mail at 2020-03-20 03:02:50 UTC. > > This certificate was revoked by Sectigo, with a revocation timestamp of > 2020-03-20 19:37:48 UTC. > > Subsequently, certificate https://crt.sh/?id=2614798141 was issued by > Sectigo, and uses a private key with the same SPKI as that previously > reported. This certificate has a notBefore of Mar 23 00:00:00 2020 GMT, > and > embeds two SCTs issued at 2020-03-23 05:55:53 UTC. At the time of writing, > the crt.sh revocation table does not show this certificate as revoked > either > via CRL or OCSP: > > Mechanism Provider Status Revocation Date Last > Observed in CRL Last Checked (Error) > OCSP The CA Good n/a n/a > 2020-03-27 06:27:23 UTC > CRL The CA Not Revoked n/a n/a > 2020-03-27 04:44:26 UTC > > Based on previous discussions on m.d.s.p, I believe Sectigo's failure to > revoke this certificate within 24 hours of its issuance is a violation of > the BRs, and hence Mozilla policy. > > - Matt > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy