The certificate has been revoked. The bounce issue has been escalated to resolve. Regards,
From: Alex Cohn <[email protected]> Sent: Wednesday, August 08, 2018 5:01 PM To: [email protected] Cc: [email protected]; [email protected]; #SSL_ABUSE <[email protected]> Subject: Re: localhost.megasyncloopback.mega.nz private key in client On Wed, Aug 8, 2018 at 9:17 AM Hanno Böck <[email protected]<mailto:[email protected]>> wrote: As of today this is still unrevoked: https://crt.sh/?id=630835231&opt=ocsp Given Comodo's abuse contact was CCed in this mail I assume they knew about this since Sunday. Thus we're way past the 24 hour in which they should revoke it. -- Hanno Böck https://hboeck.de/ As Hanno has no doubt learned, the [email protected]<mailto:[email protected]> address bounces. I got that address off of Comodo CA's website at https://www.comodoca.com/en-us/support/report-abuse/. I later found the address "[email protected]<mailto:[email protected]>" in Comodo's latest CPS, and forwarded my last message to it on 2018-08-05 at 20:32 CDT (UTC-5). I received an automated confirmation immediately afterward, so I assume Comodo has now known about this issue for ~70 hours now. crt.sh lists [email protected]<mailto:[email protected]> as the "problem reporting" address for the cert in question. I have not tried this address. Comodo publishes at least three different problem reporting email addresses, and at least one of them is nonfunctional. I think similar issues have come up before - there's often not a clear way to identify how to contact a CA. Should we revisit the topic? Alex _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
