I submitted a compromised key report to Sectigo [ssl_ab...@sectigo.com] on 1 May 2020 at 2:03pm UTC but Sectigo failed to revoke the certificate per cab-forum guidelines [4.9.1.1. Reasons for Revoking a Subscriber Certificate]. Upon submitting my report [case ref: _00D1N2Ljih._5003l11VztU], I received an automated response at 1 May 2020 at 2:03pm UTC and the first human response came 4 hours later on 1 May 2020 at 6:24pm UTC with what I believe was an incorrect assessment and failure to carefully review the evidence provided. The impacted certificate as of writing this post is still not revoked. The certificate in question: https://crt.sh/?id=2081585376 A CSR signed by the original private key was provided with the following subject details as evidence of possession: CN = The key that signed this CSR has been publicly disclosed. O = Compromised Key The response I received from Sectigo failed to demonstrate competency to deal with report and instead made references to the commonName attribute as being a problem, however without providing any form of explanation as to what is wrong with it? Additionally, Sectigo referred to pwnedkeys as some sort of authority that they say it’s not compromised. However, I suspect what Sectigo staff really meant is they were unable to find the spki sha256 fingerprint against pwnedkeys database but I don’t see how that means anything or why they are checking pwnedkeys when the evidence was attached along with the report. The necessary evidence was provided to Sectigo and they have thus far failed to deal with the evidence or clearly articulate reasons for concluding this case to not be a compromise. I have sent further emails to Sectigo over 24 hours ago requesting their decision to be carefully reviewed and have still not received a reply. I suspect my case was closed and response went into a blackhole. I would like to request Sectigo to again review this matter, revoke the certificate and provide an incident report. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Sectigo: Failure to revoke certificate with compromised key
sandybar497--- via dev-security-policy Tue, 05 May 2020 09:36:21 -0700
- Sectigo: Failure to revoke certific... sandybar497--- via dev-security-policy
- Re: Sectigo: Failure to revoke... Ryan Sleevi via dev-security-policy
- Re: Sectigo: Failure to re... sandybar497--- via dev-security-policy
- RE: Sectigo: Failure t... Robin Alden via dev-security-policy
- Re: Sectigo: Failure to revoke... Matt Palmer via dev-security-policy
- RE: Sectigo: Failure to re... Robin Alden via dev-security-policy