Section 9.6.3, Items 2, 4, and 5, of Baseline Requirements 1.4.5 (current version)
On Sun, Jun 18, 2017 at 11:36 AM, Eric Mill via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > One question though, is whether the key was compromised at the time of > intentionally shipping​ it in a distributed executable. That choice > knowingly exposed the key to arbitrary public users, even if they didn't > expect this to happen from doing so. > > -- Eric > > On Jun 18, 2017 10:24 AM, "Ryan Sleevi via dev-security-policy" < > dev-security-policy@lists.mozilla.org> wrote: > > > As Daniel noted, this is considered a key compromise event, and a > violation > > of the subscriber agreement that all CAs are required to adhere to, with > > respect to the protection of the private key. > > > > The issuing CA is obligated to revoke this certificate within 24 hours of > > being made aware of this. > > > > Thank you for bringing it to the community's attention. > > > > On Sun, Jun 18, 2017 at 12:29 PM Daniel Cater via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > This is now on crt.sh here: > > > https://crt.sh/?id=156475584&opt=cablint,x509lint > > > > > > This is indeed a key compromise event, thanks for the level of detail > > > provided. > > > > > > An attacker in control of a network could use this to impersonate > > > https://drmlocal.cisco.com/ and leverage that to potentially steal a > > > user's secure cookies from other Cisco subdomains if they were scoped > to > > > the whole cisco.com domain. > > > _______________________________________________ > > > dev-security-policy mailing list > > > dev-security-policy@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy