BRs require revocation within 24 hours of notice. It's a terrible timeline but one the browsers have strictly enforced for even wide spread deployments.
> On Sep 6, 2016, at 4:30 PM, Steve Medin <[email protected]> wrote: > > We have become aware of this certificate and its key compromise, thank you > for this information. We are contacting the owner to understand impact to > the deployed devices, but with clear intent to revoke. We will provide > updates while we make progress. > > Kind regards, > Steven Medin > PKI Policy Manager, Symantec Corporation > > > > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+steve_medin=symantec.com@lists.mozilla.o > rg] On Behalf Of Gervase Markham > Sent: Tuesday, September 06, 2016 2:02 PM > To: Kyle Hamilton <[email protected]>; > [email protected] > Subject: Re: Compromised certificate that the owner didn't wish to revoke > (signed by GeoTrust) > >> On 06/09/16 18:25, Kyle Hamilton wrote: >> Aruba chose not to notify GeoTrust that it needed to be revoked due to >> compromised private key. I am notifying because I believe it >> violates the Basic Requirements for someone other than the identified >> subject to possess the private key for a publicly-trusted certificate. > > It does; have you notified GeoTrust using whatever mechanism they make > available for such notifications? They are supposed to have one, according > to the BRs. I'm not sure posting here would count. > > Gerv > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
