QuoVadis: Failure to revoke key-compromised certificates within 24 hours

Three certificates were reported as having private keys which had been publicly disclosed, by e-mailing complia...@quovadisglobal.com at 2020-03-20 03:05:14 UTC. E-mail was received by a QuoVadis server at 2020-03-20 03:05:18 UTC. As of 2020-03-22 05:17:37, OCSP still shows all of these

Digicert: failure to revoke certificate with previously compromised key

Certificate https://crt.sh/?id=2606438724, issued either at 2020-03-21 00:00:00 UTC (going by notBefore) or 2020-03-21 01:56:31 UTC (going by SCTs), is using a private key with SPKI 4310b6bc0841efd7fcec6ba0ed1f36e7a28bf9a707ae7f7771e2cd4b6f31b5af, which was reported to Digicert as compromised on

Re: Paessler (was Re: Let's Encrypt: Failure to revoke key-compromised certificates within 24 hours)

On Sat, Mar 21, 2020 at 07:20:27PM +, Nick Lamb wrote: > On Sat, 21 Mar 2020 13:40:21 +1100 > Matt Palmer via dev-security-policy > wrote: > > There's also this one, which is another reuse-after-revocation, but > > the prior history of this key suggests that there's something *far* > > more

Paessler (was Re: Let's Encrypt: Failure to revoke key-compromised certificates within 24 hours)

On Sat, 21 Mar 2020 13:40:21 +1100 Matt Palmer via dev-security-policy wrote: > Oh the facepalm, it burns (probably too much hand sanitizer)... let > me try that again. Use soap and water where practical. And, as the BBC Comedy TV show "That Mitchell & Webb Look" put it many years ago "Remain

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

On Friday, March 20, 2020 at 3:55:08 PM UTC-5, Ryan Sleevi wrote: > On Fri, Mar 20, 2020 at 4:07 PM Kathleen Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > My question: What should "location" mean in the above requirement? > > > > The WebTrust Practitioner