Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Mon, Mar 23, 2020 at 2:43 PM Bruce via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, March 19, 2020 at 2:02:39 AM UTC-4, Matt Palmer wrote: > > > 1. *Are* there explicit prohibitions on issuing a certificate for a > private > >key which has been

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thursday, March 19, 2020 at 2:02:39 AM UTC-4, Matt Palmer wrote: > 1. *Are* there explicit prohibitions on issuing a certificate for a private >key which has been previously submitted *to that CA* as compromised >(assuming, of course, that the prior submission was valid), and I'm just

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 9:58 AM Wojtek Porczyk wrote: > On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via > dev-security-policy wrote: > > [...] but given that some negligent and > > irresponsible CAs kept agitating to reduce revocation requirements than > > protect users, the ballot was

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via dev-security-policy wrote: > [...] but given that some negligent and > irresponsible CAs kept agitating to reduce revocation requirements than > protect users, the ballot was kept simple. > [...] I worry the same set of negligent and

RE: Is issuing a certificate for a previously-reported compromised private key misissuance?

To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Is issuing a certificate for a previously-reported compromised private key misissuance? On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote: > On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < > dev-securi

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote: > On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > 2. If there are not explicit prohibitions already in place, *should* there > >be? If so, should it be a BR

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Since I started requesting revocation for certificates with > known-compromised private keys, I've noticed a rather disturbing pattern > emerging in a few cases: > > 1. I find a

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On 2020-03-19 07:02, Matt Palmer wrote: 2. If there are not explicit prohibitions already in place, *should* there be? If so, should it be a BR thing, or a Policy thing? I think there should be. I expect them to publish a CRL that says the reason for revocation is a key compromise. I

Is issuing a certificate for a previously-reported compromised private key misissuance?

Since I started requesting revocation for certificates with known-compromised private keys, I've noticed a rather disturbing pattern emerging in a few cases: 1. I find a private key on the Internet. 2. I request revocation from the CA on the basis that the private key is compromised, and