On Tue, May 5, 2020 at 12:35 PM sandybar497--- via dev-security-policy <[email protected]> wrote: > > I submitted a compromised key report to Sectigo [[email protected]] on 1 > May 2020 at 2:03pm UTC but Sectigo failed to revoke the certificate per > cab-forum guidelines [4.9.1.1. Reasons for Revoking a Subscriber Certificate]. > > Upon submitting my report [case ref: _00D1N2Ljih._5003l11VztU], I received an > automated response at 1 May 2020 at 2:03pm UTC and the first human response > came 4 hours later on 1 May 2020 at 6:24pm UTC with what I believe was an > incorrect assessment and failure to carefully review the evidence provided. > The impacted certificate as of writing this post is still not revoked. > > The certificate in question: https://crt.sh/?id=2081585376 > > A CSR signed by the original private key was provided with the following > subject details as evidence of possession: > CN = The key that signed this CSR has been publicly disclosed. > O = Compromised Key > > The response I received from Sectigo failed to demonstrate competency to deal > with report and instead made references to the commonName attribute as being > a problem, however without providing any form of explanation as to what is > wrong with it? Additionally, Sectigo referred to pwnedkeys as some sort of > authority that they say it’s not compromised. However, I suspect what Sectigo > staff really meant is they were unable to find the spki sha256 fingerprint > against pwnedkeys database but I don’t see how that means anything or why > they are checking pwnedkeys when the evidence was attached along with the > report. The necessary evidence was provided to Sectigo and they have thus far > failed to deal with the evidence or clearly articulate reasons for concluding > this case to not be a compromise. > > I have sent further emails to Sectigo over 24 hours ago requesting their > decision to be carefully reviewed and have still not received a reply. I > suspect my case was closed and response went into a blackhole. > > I would like to request Sectigo to again review this matter, revoke the > certificate and provide an incident report.
Thanks for sharing this. Could I ask you to post the CSR and/or evidence you shared somewhere? Mostly to help confirm that indeed, Sectigo did make the wrong call, and that this is an incident :) I was in the process of writing up the Bugzilla bug and realized it probably makes sense to do a little due diligence myself. Sectigo is expected to be watching this mailing list and can also respond (and open the Bugzilla incident). I just didn't recognize your e-mail / past posts, and so wanted to at least confirm before making noise :) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
