On Thursday, May 21, 2020 at 10:06:02 AM UTC-7, sandy...@gmail.com wrote: > On Thursday, May 21, 2020 at 12:33:25 PM UTC+10, Matt Palmer wrote: > > On Tue, May 19, 2020 at 07:33:00PM -0700, sandybar497--- via > > dev-security-policy wrote: > > > Here are the original headers (omitting my email) > > > > > > *** > > > > > > MIME-Version: 1.0 > > > Date: Thu, 7 May 2020 12:07:07 +0000 > > > Message-ID: > > > <CANb+OL=25wrEtLMXSgEbv=6eudrhgdugr+fyg5agsugej6o...@mail.gmail.com> > > > Subject: Certificate Problem Report - compromised key > > > From: sandy <sandy...@gmail.com> > > [...] > > > https://crt.sh/?spkisha256=e92984ace6f80c75b092df972962f2d3f1365ba08c8bbf9b98cdf3aec20d2d2d > > > > crt.sh sez: > > > > Revoked (cessationOfOperation) 2020-05-08 16:55:17 UTC > > > > Got to say, that definitely does look like over 24 hours from e-mail to > > revocation. Unfortunately, because you're using gmail, it's tricky to be > > able to demonstrate when GoDaddy *actually* received the e-mail -- I don't > > know of a way to get at the MTA logs to show when it was delivered to the > > remote MTA. > > > > I'd be curious to hear from GoDaddy as to why the revocation reason here is > > marked as "cessationOfOperation", rather than "keyCompromise". That > > seems... fishy. > > > > > Content-Type: application/octet-stream; > > > name="e92984ace6f80c75b092df972962f2d3f1365ba08c8bbf9b98cdf3aec20d2d2d.pem" > > > Content-Disposition: attachment; > > > filename="e92984ace6f80c75b092df972962f2d3f1365ba08c8bbf9b98cdf3aec20d2d2d.pem" > > > Content-Transfer-Encoding: base64 > > > X-Attachment-Id: f_k9wq5sjj0 > > > Content-ID: <f_k9wq5sjj0> > > > > Somewhere along the line this got lost. It'd be good to have a copy of it, > > for completeness. Since it's in PEM format, you can include it in the body > > of an e-mail -- the Mozilla lists are a bit finicky with attachments. > > > > - Matt > > I had received a auto-confirmation email from GoDaddy > [donotre...@secureserver.net] just one minute after sending my report, the > email reply contained case incident id 41854028. > > Here is a copy of the evidence of compromise sent along with my report (PEM > encoded CSR signed from original private key). > > -----BEGIN CERTIFICATE REQUEST----- > MIICozCCAYsCAQAwXjEYMBYGA1UECgwPQ29tcHJvbWlzZWQgS2V5MUIwQAYDVQQD > DDlUaGUga2V5IHRoYXQgc2lnbmVkIHRoaXMgQ1NSIGhhcyBiZWVuIHB1YmxpY2x5 > IGRpc2Nsb3NlZC4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDuGNUD > DTHpFfAEJj5h9bDHitmui7uJGaVybhxYzdoEvxzeNAhBESQHMfRGyhr2cvHeWlfX > G8j1ZjimEEdzF1E14Jqx6duWYyowe4Crc3lFZduisw149ASzwu4A6CDR00zyeb7L > xpnthpvSSGzJ8iMZEEC4odsMxOlO0yoEwd7ketlybn6jLNpUIMii/bolbLvY9bMg > 5wPMTVyrhLoum+KP+DSP7TuZx41LAeBjhRaYZAXHtrcQAjKIJ+6YjKv/uYdDREKq > dw2accMGrsWcSKM/bKuA+l/8+Pye/aMnSo4b7dNzILWGkJC0Ipdg99bkPtx/bWTX > NXZfe+EcsQdJK5rNAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAKYleYx/U6n2v > Xai5ckvujoodT5rrINzjI/wuohioys0M8keN5Iq9zbcfX1orHPBhG8+c1pFTzmjh > TNhAyz/aur3LqXJ8wijZIDky27WFvjw98jQB6n6Di+LHWHFbFmwz/mHwGIDDqo7c > Oy8yG0gXOPOnMwL7VDctgu7/Kk/JX8mcWLbISyCr2CnljOH4nQOEz3j3+MhLZPg7 > NcQSq52oiGCPWAEnQ4aJI7vdhY8TWab82sLDO6qy61wek4hp7z1nVctpJkQvBORi > F76ayXlgL4G6oCG12VVloK52Ti8kk15HB6YFhD/1mz0fUyOTe/PzedOBaPhiAvv2 > FPDcLgBXlg== > -----END CERTIFICATE REQUEST----- > > Requesting GoDaddy to provide an incident report for this matter. > > - sandy
Hello Sandy, GoDaddy received an email on Friday, May 7, 2020 12:06 UTC, reporting a key compromise, by Sandy. Once received our team started working on making sure that the certificate had indeed a compromised key, the investigation on the certificate finished at that same day Friday, May 7th between 16:54 UTC and 16:55 UTC. After that we followed the Baseline Requirements 4.9.1 That says: "The CA obtains evidence that the Subscriber's Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise;" We obtained the evidence that the key was compromised when we finished our investigation at 16:55 UTC, that was the time we set 24 hours revocation of the certificate, the same was revoked at May 8th at 16:55 UTC. We communicated with the reporter as soon as we completed our investigation and informed that the affected certificate would be revoked strictly within 24 hours which we have done and can be confirmed here: https://crt.sh/?id=2366734355 Lastly, GoDaddy take key compromises very seriously and recognize the importance to the industry and health of the ecosystem. Thank you, Daniela Hood GoDaddy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
