Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Mon, Mar 23, 2020 at 2:43 PM Bruce via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, March 19, 2020 at 2:02:39 AM UTC-4, Matt Palmer wrote: > > > 1. *Are* there explicit prohibitions on issuing a certificate for a > private > >key which has been

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thursday, March 19, 2020 at 2:02:39 AM UTC-4, Matt Palmer wrote: > 1. *Are* there explicit prohibitions on issuing a certificate for a private >key which has been previously submitted *to that CA* as compromised >(assuming, of course, that the prior submission was valid), and I'm just

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 9:58 AM Wojtek Porczyk wrote: > On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via > dev-security-policy wrote: > > [...] but given that some negligent and > > irresponsible CAs kept agitating to reduce revocation requirements than > > protect users, the ballot was

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via dev-security-policy wrote: > [...] but given that some negligent and > irresponsible CAs kept agitating to reduce revocation requirements than > protect users, the ballot was kept simple. > [...] I worry the same set of negligent and

RE: Is issuing a certificate for a previously-reported compromised private key misissuance?

Has anyone worked with a site/service like this that could help convey compromised keys between CAs? https://pwnedkeys.com/submit.html -Original Message- From: dev-security-policy On Behalf Of Matt Palmer via dev-security-policy Sent: Thursday, March 19, 2020 7:05 AM To:

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote: > On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > 2. If there are not explicit prohibitions already in place, *should* there > >be? If so, should it be a BR

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Since I started requesting revocation for certificates with > known-compromised private keys, I've noticed a rather disturbing pattern > emerging in a few cases: > > 1. I find a

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On 2020-03-19 07:02, Matt Palmer wrote: 2. If there are not explicit prohibitions already in place, *should* there be? If so, should it be a BR thing, or a Policy thing? I think there should be. I expect them to publish a CRL that says the reason for revocation is a key compromise. I