[Somehow the list got dropped on this when I did reply-all] It would probably be a good idea to submit the keys to https://pwnedkeys.com/submit.html as well, as a centralized way for CAs to verify that the keys are in fact compromised. We received one of these reports in the form of a BouncyCastle keystore file (.bks), which I didn't even know was a thing until it arrived, with a password to unlock the file. However, while we were able to unlock the keystore with the provided password after setting up the BouncyCastle security provider, that password didn't unlock the private key itself inside the keystore. Thus, we were unable to verify that the key was actually compromised. At that point, though, we realized that the question was moot as the certificate we had issued using it was already expired. But I guess I'm wondering, if other CAs received what we did, were they able to independently verify that the keys are in fact compromised before revoking the certificates?
Regards, Tim -----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Wayne Thayer via dev-security-policy Sent: Monday, March 25, 2019 8:44 PM To: Rob Stradling Cc: [email protected]; CERT Coordination Center Subject: Re: CA-issued certificates for publicly-available private keys VU#553544 Thank you for the report Will and for the tracking info Rob. It appears that all but one of these certificates is currently revoked, but roughly 5 more weren't revoked until earlier today, which I assume was more than 24 hours since they were reported to the CA. Will: can you share an approximate date/time when these certificates were reported to the CAs? You should have also received a preliminary report from the CAs within 24 hours as described in BR section 4.9.5. - Wayne On Mon, Mar 25, 2019 at 6:11 AM Rob Stradling via dev-security-policy < [email protected]> wrote: > I've just created a batch for this list on the Revocation Tracker: > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8CDKo2HEw&s=5&u=https%3a%2f%2fmisissued%2ecom%2fbatch%2f47%2f > > On 22/03/2019 19:05, CERT Coordination Center via dev-security-policy > wrote: > > Hi folks, > > > > I'm sharing this information with this list per suggestion of Hanno > > Böck. Some time ago we started looking at private keys that are > > included with Android apps that are publicly available in the Google > > Play store. Some subset of these keys have been used to obtain > > certificates from CAs participating in the CT project (as visible on > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8SHJN2NRQ&s=5&u=https%3a%2f%2fcrt%2esh%29 > > > > The following > > http://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8faJo6GQA&s=5&u=http%3a%2f%2fcrt%2esh > > link to keys/certificates that are associated with > > the compromised (released to the public) private keys: > > > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5GHcN6HFA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dd31922465b3b7a85718752f1ae9bacb7cd1522996b073cd4da2464cdf84f697d > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5HaK4mCRQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3da7c10b71f3c0827222573dcc73dac168d91bf3c564b1f5bd43924baf0472576c > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8DbcNfTQA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d2766f6f5afa36174a08ca27aadaeba6621486960f385bed7ea83173ac2617703 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8GEIo2MFg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d0cf68ccb3c210c91f742efb4d6091f2467132f33df63b56a8dcb2c84cf9a7502 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8vVcdfXQw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d84041b5545a35e4bedcb4e1b88e0790dcf70a14abdf5f34d186e3a5656d060b0 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8KBcNjRRQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d9b4fb504d853e52a1ef4b49a5005d39d4ca5c2e1f98bacedd7befb728d589095 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8vXK4uNQw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dfddde47bfd018ea5b8b04be6dca332203e776d5249517b8db3acf5fa19abba10 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8HQcd2NRQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d24184bbe0eadbcfd69b06b0e6f10d07c58413ecdb080cc609469d8a13ad33417 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8rXJomHQQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3debb22a8bd69d1780ec0d74e23c2f83cdd559ef065766dfa80d19be0496ca3e35 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8fbI9aHRA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dd92b4545299cb1c2426205295a8acc24205bd7a9b7f1ab767c9270d6bed929e9 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8rXJ9qMTA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d7732d4c9781979c2eda1dca14d610f627bf0eb14ad6d9f86c69d8f3a42c39430 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5DbJ9fXQA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dcd6b8f0a1862390bd20dd81e63b266847bf645cdc440f4022fc165e34ff6a7f1 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8LQJ4qFRg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3dFB%3a1A%3a41%3a67%3a06%3a26%3a2B%3a99%3a8A%3a97%3a73%3a9A%3aFC%3aC7%3aE3%3a77%3a48%3aC3%3aE5%3a21%3a47%3a7E%3aFD%3aD5%3a03%3aD0%3a0C%3a31%3aC4%3a95%3aC5%3a07 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5SGcN-GQQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3dA7%3a30%3a9D%3aE5%3a1D%3a44%3a85%3a6A%3aE6%3a00%3a74%3aC3%3a0F%3a3E%3a3E%3aEA%3a23%3aEA%3a78%3a2D%3a84%3a6C%3a10%3a77%3a0B%3a1C%3a8F%3a24%3aB3%3a6D%3aD4%3a4D > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8OBK9rUEA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d79c923c2d644eafef947d40d915b42684d35600a71cea6db22e88d7619a7825c > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5baJNrRQw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d45c363fd97c114bdbaa8444d068a0347d18c862e657dd90e2a48ac978f533015 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5PRcY3WQA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d8206e318193186cace874b77d4b361ec37940e884d6ca10fca430164da663416 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8LRJdqNFg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d887b1c8bbfb6d54dc47cf4f2397e07e3ccd850ea26bf3bcd8e269bc5b2917266 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8aGKtjXFw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dd1a0748edb263fdf9fe8370db55b2669e52dec46cc61f7eec607febce66bba70 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5PScdrURg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3db805cc36a8a84d5f462d8230cb6c05fcd13c7f4d81143c4c58692e1c71ac5c66 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5fTKo3QTQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3df7f5a035038a3f933998ad503fe3535f823355101181ed51e1a942156a178dc2 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8qAd9qEEw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d493f34228ad3179e2dad25a392acae4d2dcaebcf633240a9df9d7f4413c4e681 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5OBKt3TEA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d9b40f2df2dc2bbc5d176cfb7b870342678e19cbf1ab14bef6ea22e20d60ec1b9 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5GGdNuGEA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dcbcbef7bedeb58b1fd36af2bbf32f3269d8a920d7aa77a4d6f7e5beb7c4b656e > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5HWK9jTTQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d357d37290366067db84ddc291ed15eeb0fef413235101c996a8d6f97e14dfa33 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8aGJ9eNFg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3df8e3776c8f5cd1617faf006e2bfa3b7be3ea11960aa55f7ef72416bde1b7f958 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5SGIN-CFg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d6e199b309105b8f05f8af089eb9b97d7c4caf2490974c8d4e069a2ca5aca4574 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8vXJ9mDEw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d9b56d3c26284ad6a2faa95ca5f4c13ab69d995abea034bac169146f5401a7a02 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8HbI4qGQw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d758854a6e58cd778129d56e72617d9312ac4a3bcf9c9b1227a117bb5ea83245e > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8aHJYrQQg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d0a7b4ca246d82b7b1abe7192be4960a1b9d236f59d056dae3c98bd9c147262f9 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8HUK9-AQg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3db4a95d9b6d13a38c5e1c5002c69084f4de054e9dc2139afb5fa2454b8042147a > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8LUIdyDRg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3d59%3aA2%3aF6%3a05%3a11%3a57%3aA4%3a11%3a03%3a2E%3a39%3a45%3a2B%3a35%3aBF%3a01%3aE0%3a04%3a03%3a9E%3aC4%3aBA%3aEE%3aDE%3a1A%3aF8%3aBE%3a18%3aB2%3a4A%3a85%3a25 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5fUJ47WQw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d6e9bc0bd50ea63c19a0e9f04dea75bcca4f18306fea65859cc0676bfeeed87d5 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8TQdNuARw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d45ebf9d2308a2b156e50ec13b0a27abc22124d4c167df730dc871773cdbfe66f > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8fbIo6BFw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3df0a48dd187500284ed98bd9293b3821f60efdf704aed5c14b7c366fc6a02aad9 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8OEId3QFg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d07d669c4c024b6e5e1ab0d47e3af705764adb8066ab797ed9be6d690086f0772 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5faJNbXQw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d22f6b4e6f9e06687c9df8c9cf4715e7fc58cdf7163d404d2362a4288b7c7e975 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8HXIN3XRA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d50259dd332075155f9fb4ae2dc23ad193b343941a6efef81d7d2ea2ee1aae1ec > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8OHK92GTA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3da1c5cd8e193dffe45230254b62e27f4438414b69b439f835fea54f741c6c6f59 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5fTIY3WQg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3de3e5c7ff15cd52ce05902b8ae42ae08c3257457136756c89a35f7ee8554c9e59 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8qDJ9mARQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dd1c40311777bdc363fbe01eda747126efd2de188864cdba4ea5c131e1439da6e > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8XTINjQQw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dc327dc1213ae46b0d3d716bced1d2dc588508a66ae1f032c685d18c12b5a226f > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8rbKtiMRg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dfd1eebe89eb69f45a81eb1fb6bf7216365ff1c138eebad311abcad66c1edf3f9 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8TVd96ATQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d1b43aeac546388919f0a08dbbaa76750811d255379b884a19578fd3dc99bf996 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8HXId3RTA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d90a3d4ea7c5d74a0ace3ecf8edec3431c2745763b2b01337002f46807d6481fd > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5GHcdqGQA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3d7F%3a6B%3aB5%3a9D%3aE2%3aD5%3a65%3aAD%3aAC%3aCB%3aC1%3aCD%3a3D%3a13%3aE7%3a4A%3a97%3a73%3a48%3aBA%3a1D%3aB0%3a5F%3aFE%3a22%3a87%3a88%3a1F%3aB4%3a05%3a43%3aF3 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8LTK43XQg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d4064ad789590c24922efb7cd43717894348db4685485105e692de58f85e38a97 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8DSIN6CEQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d56eac7e904baab457374d00c70014dc7f7f4f60d1bf11b55f04320a62d58c8fc > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5fUIdmNFA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d11aebfc94aef03c6bc8a3311a5adc429c7f1b19d6bbaffe32742d37550e193fb > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8WDIt7UEw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d6cc66786a263aa83ced5b214aeab2b9d5472c6b08ace95cb0523cbbcfff87c0c > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5HSdt-HRg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3dc7fe3681e2204933d79a5a2414dda71c87fed6ca54d0b5b305e6167fdb6ef1ff > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8XRK9eCQQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3dF9%3a7B%3a90%3a9C%3aBF%3a12%3a74%3a9F%3a98%3a39%3a7E%3a55%3a02%3a79%3aE9%3a5D%3a5B%3a5E%3aA5%3a53%3a1B%3aD5%3a95%3aD2%3a1E%3a35%3aF5%3a51%3aDF%3aE0%3aF1%3a14 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5TVc9iFRA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3d7B%3aEB%3a60%3aC1%3aB3%3aE0%3aBA%3aF2%3aD3%3a5B%3a6D%3aE1%3a06%3aCB%3aB4%3a55%3aEF%3a5F%3a74%3aE6%3a90%3a5C%3a8A%3aE7%3a46%3aC1%3aBF%3a86%3a13%3aF3%3aBB%3a74 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5GBdtjTRQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3dD3%3a88%3a8C%3a46%3a52%3a54%3a68%3a36%3a46%3aC4%3a51%3a3A%3aB7%3a25%3a50%3aC5%3aEC%3a14%3aC4%3a2C%3aC7%3a2F%3aC8%3a77%3a0E%3a8A%3aF5%3a64%3a1A%3a19%3a86%3aD2 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5GEdIuEFA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3d53%3a34%3aB0%3a28%3a37%3a52%3a69%3a70%3a61%3aE8%3a43%3a40%3aD4%3a9B%3aAC%3a8D%3aD3%3a84%3a00%3a2C%3a2A%3a07%3a21%3a6F%3a64%3a78%3a04%3a66%3aB8%3a71%3a97%3a6E > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8PTKtqEFg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3d7D%3aF3%3aB4%3a61%3a61%3a4F%3aFE%3a0D%3a3D%3aF4%3a6E%3aA3%3aA8%3a2D%3aB1%3aC6%3aDF%3aF4%3a04%3a81%3a27%3aF0%3a64%3a12%3a81%3aA6%3a7C%3a6F%3a87%3aB6%3a67%3a2D > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8vRJ4nXQg&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3dDF%3aB0%3a8B%3a03%3a5C%3a13%3aA1%3a62%3aBE%3aF5%3aA6%3a6E%3aC4%3aE0%3a86%3a7E%3a79%3a89%3a6B%3aC1%3a2F%3aD2%3aE0%3a6A%3a41%3a67%3a6B%3a85%3aFC%3a69%3aB1%3a69 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5eHItbUEw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3d53%3a75%3a89%3a85%3a87%3a23%3a04%3a4D%3aDE%3aDC%3aD6%3aDA%3a52%3aE3%3a93%3a29%3a29%3a56%3a73%3a29%3a05%3a4B%3aE7%3aCC%3a23%3aBA%3aAC%3a06%3a2B%3a02%3a17%3a23 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8rRdtyGEw&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3dA6%3a89%3aC5%3a18%3a86%3a1A%3a7B%3a4F%3a22%3a90%3aEF%3aC9%3aCE%3a6F%3aCC%3aA1%3a23%3a24%3a9E%3a92%3aA7%3a77%3a0D%3a7A%3a80%3aB7%3a4B%3a92%3aB0%3a53%3aFF%3aB9 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8HSII2CRA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fq%3d4E%3aBA%3aA4%3a9F%3a9A%3a87%3a7D%3a40%3a16%3a84%3a99%3a53%3a6A%3aEF%3a67%3a92%3aE2%3aE3%3a36%3a18%3a96%3a91%3aC0%3aF4%3a6E%3a3B%3a3F%3a36%3a27%3a19%3aD8%3a73 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8rTdtjXQQ&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d447abdbf6fa23f5ec547db36d27759f6df2daea959eac109389e495041a550f7 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z5GHd93QFA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d8e603d56870cd0d284501138eaa8822442b7e2c8791cb49092666b0b960cf899 > > > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8DTJt3URA&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fspkisha256%3d2790448e54f746e813ec7991373bf07f31284c01e69c21d8d8dfbb22f7873e86 > > > > > > We have notified the respective CAs of the key material compromise for > > each of the above cases. > > > > With each of the above cases, the app author has been given plenty of > > time to correct their mistake. We have a number of keys where we > > haven't yet notified the CAs, due to the fact that we turned off > > app-author notification quite a few months ago. (This project would be > > a never-ending operation, given the stream of incoming new apps to the > > Play store that make the same mistake). > > > > We plan to re-enable email notifications to app authors in cases where > > the private keys are used to obtain certificates, as listed on > > http://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8faJo6GQA&s=5&u=http%3a%2f%2fcrt%2esh > > And after some amount of time, we'll notify the CAs to indicate key > > compromise. The reason for this delay would be to not blind-side site > > owners. > > > > On the other hand, given that the private keys have *already* been > > compromised (by way of public release), perhaps it doesn't make sense > > for such an embargo. Thoughts? > > -- > Rob Stradling > Senior Research & Development Scientist > Sectigo Limited > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8aAJY2MTA&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://scanmail.trustwave.com/?c=4062&d=ivaZ3MdKgZAwIVeod_yJkAE0dhfvL1c4z8aAJY2MTA&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
