One question though, is whether the key was compromised at the time of intentionally shipping​ it in a distributed executable. That choice knowingly exposed the key to arbitrary public users, even if they didn't expect this to happen from doing so.
-- Eric On Jun 18, 2017 10:24 AM, "Ryan Sleevi via dev-security-policy" < [email protected]> wrote: > As Daniel noted, this is considered a key compromise event, and a violation > of the subscriber agreement that all CAs are required to adhere to, with > respect to the protection of the private key. > > The issuing CA is obligated to revoke this certificate within 24 hours of > being made aware of this. > > Thank you for bringing it to the community's attention. > > On Sun, Jun 18, 2017 at 12:29 PM Daniel Cater via dev-security-policy < > [email protected]> wrote: > > > This is now on crt.sh here: > > https://crt.sh/?id=156475584&opt=cablint,x509lint > > > > This is indeed a key compromise event, thanks for the level of detail > > provided. > > > > An attacker in control of a network could use this to impersonate > > https://drmlocal.cisco.com/ and leverage that to potentially steal a > > user's secure cookies from other Cisco subdomains if they were scoped to > > the whole cisco.com domain. > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
