Hello, Thank you for all the comments in this thread. We filed an incident report related to the revocation timing that can be followed here: https://bugzilla.mozilla.org/show_bug.cgi?id=1640310. We also identified the error in revocation reason as a user error, corrected the error and provided feedback to the employee.
Daniela Hood GoDaddy -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Matt Palmer via dev-security-policy Sent: Thursday, May 21, 2020 6:32 PM To: dev-security-policy@lists.mozilla.org Subject: Re: GoDaddy: Failure to revoke certificate with compromised key within 24 hours Notice: This email is from an external sender. On Thu, May 21, 2020 at 02:01:49PM -0700, Daniela Hood via dev-security-policy wrote: > After that we followed the Baseline Requirements 4.9.1 That says: "The > CA obtains evidence that the Subscriber's Private Key corresponding to > the Public Key in the Certificate suffered a Key Compromise;" We > obtained the evidence that the key was compromised when we finished > our investigation at 16:55 UTC, that was the time we set 24 hours > revocation of the certificate, the same was revoked at May 8th at 16:55 UTC. BRs 4.9.5: "The period from receipt of the Certificate Problem Report or revocation-related notice to published revocation MUST NOT exceed the time frame set forth in Section 4.9.1.1". > can be confirmed here: https://crt.sh/?id=2366734355 Can you explain why the revocation reason is "cessationOfOperation", rather than "keyCompromise"? To not provide a revocation reason at all is one thing, but to indicate a factually incorrect one is... something else entirely. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy