Tom Wassenberg on Twitter reported an experience he had with Sectigo when reporting a compromised private key.
https://twitter.com/tomwas54/status/1162114413148725248 https://twitter.com/tomwas54/status/1162114465065840640 https://twitter.com/tomwas54/status/1162114495017299976 "So a few weeks ago, I came across a private key used for a TLS certificate, posted online. These should never be public (hence the "private"), and every trusted CA is obliged to revoke any certificate they issued when they become aware its private key is compromised. "So when I informed the issuing CA (@SectigoHQ) about this, they promptly revoked the cert. Two weeks later however, I receive an angry email from the company using the cert (cc'd to their lawyer), blaming me for a disruption in the services they provide. "The company explicitly mentioned @SectigoHQ "was so kind" to give them my contact info! It was a complete surprise for me that @SectigoHQ would do this without my consent. Especially seeing how the info was used to badger me." If these situations were common, it could create a chilling effect on problem reporting that would hurt the WebPKI ecosystem. Are specific procedures and handling of contact information in these situations covered by the BRs or Mozilla policy? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
