Hello,

I am a bit shocked about this case.

The fact that this happened to someone would restrain myself from reporting key 
compromises.

Even though it is the company's fault to protect their private key, their 
lawers still might sue the incident-reporter. A judge might not understand the 
PKI system and therefore might tend to decide in favor of the company, because 
the company can proove that they lost XXX dollars revenue because of the 
service outtage. I think big companies have a lot of expensive lawers who might 
win such a case against a private person who might not even have the money for 
a good lawer at all.

In re privacy: Telling someone the name and/or email address of a person 
without their consent is a clear violation of the GDPR (European General Data 
Protection Regulation), in case European law applies. Publishing the name 
and/or email address online (e.g. in the incident template) is even worse.

Take care,
Daniel

Am Montag, 19. August 2019 16:26:06 UTC+2 schrieb Mathew Hodson:
> Tom Wassenberg on Twitter reported an experience he had with Sectigo
> when reporting a compromised private key.
> 
> https://twitter.com/tomwas54/status/1162114413148725248
> https://twitter.com/tomwas54/status/1162114465065840640
> https://twitter.com/tomwas54/status/1162114495017299976
> 
> "So a few weeks ago, I came across a private key used for a TLS
> certificate, posted online. These should never be public (hence the
> "private"), and every trusted CA is obliged to revoke any certificate
> they issued when they become aware its private key is compromised.
> 
> "So when I informed the issuing CA (@SectigoHQ) about this, they
> promptly revoked the cert. Two weeks later however, I receive an angry
> email from the company using the cert (cc'd to their lawyer), blaming
> me for a disruption in the services they provide.
> 
> "The company explicitly mentioned @SectigoHQ "was so kind" to give
> them my contact info! It was a complete surprise for me that
> @SectigoHQ would do this without my consent. Especially seeing how the
> info was used to badger me."
> 
> If these situations were common, it could create a chilling effect on
> problem reporting that would hurt the WebPKI ecosystem. Are specific
> procedures and handling of contact information in these situations
> covered by the BRs or Mozilla policy?

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to