Yes - that's been well established. See https://bugzilla.mozilla.org/show_bug.cgi?id=1639801 (where Ryan reminded me that this has been discussed and resolved with actual language in the BRs)
-----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Kurt Roeckx via dev-security-policy Sent: Thursday, May 21, 2020 3:25 PM To: Daniela Hood <dxh...@godaddy.com> Cc: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: GoDaddy: Failure to revoke certificate with compromised key within 24 hours On Thu, May 21, 2020 at 02:01:49PM -0700, Daniela Hood via dev-security-policy wrote: > Hello Sandy, > > GoDaddy received an email on Friday, May 7, 2020 12:06 UTC, reporting a key > compromise, by Sandy. Once received our team started working on making sure > that the certificate had indeed a compromised key, the investigation on the > certificate finished at that same day Friday, May 7th between 16:54 UTC and > 16:55 UTC. > After that we followed the Baseline Requirements 4.9.1 That says: "The CA > obtains evidence that the Subscriber's Private Key corresponding to the > Public Key in the Certificate suffered a Key Compromise;" We obtained the > evidence that the key was compromised when we finished our investigation at > 16:55 UTC, that was the time we set 24 hours revocation of the certificate, > the same was revoked at May 8th at 16:55 UTC. > We communicated with the reporter as soon as we completed our > investigation and informed that the affected certificate would be > revoked strictly within 24 hours which we have done and can be > confirmed here: https://crt.sh/?id=2366734355 >From what I understand, you received the evidence at May 7, 2020 12:06 UTC, but it took you until 16:55 UTC to confirm that the evidence you've received was valid. I think the 24 hour starts at the time you receive the evidence, not the time that you confirm the evidence is valid. Otherwise you can just delay looking at the mail for say a week, and still claim that you revoked it in 24 hours. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
