Do you have a copy of the OCSP response? With such issues, we may need signed artifacts to demonstrate non-compliance. For example, it shows as revoked via both OCSP and CRL for me.
On Thu, May 14, 2020 at 4:32 PM sandybar497--- via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > On 7 May 2020 at 12:07:07 PM UTC I reported a certificate to GoDaddy at > practi...@starfieldtech.com as having its private key compromised. > > I received the automated acknowledgement confirmation, however, as of > 2020-05-09 03:39:36 UTC (well after 24 hours), OCSP still shows the > certificate as being "Good" > > The unrevoked certificate is https://crt.sh/?id=2366734355 > > I believe this is a breach of the CA-BR [4.9.1.1. Reasons for Revoking a > Subscriber Certificate] - > > "The CA SHALL revoke a Certificate within 24 hours if one or more of the > following occurs"...."The CA obtains evidence that the Subscriber's Private > Key corresponding to the Public Key in the Certificate suffered a Key > Compromise" > > I would like to request GoDaddy revoke the certificate and provide an > incident report on this matter. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
