On 7 May 2020 at 12:07:07 PM UTC I reported a certificate to GoDaddy at 
practi...@starfieldtech.com as having its private key compromised.

I received the automated acknowledgement confirmation, however, as of 
2020-05-09 03:39:36 UTC (well after 24 hours), OCSP still shows the certificate 
as being "Good"

The unrevoked certificate is https://crt.sh/?id=2366734355

I believe this is a breach of the CA-BR [ Reasons for Revoking a 
Subscriber Certificate] -

"The CA SHALL revoke a Certificate within 24 hours if one or more of the 
following occurs"...."The CA obtains evidence that the Subscriber's Private Key 
corresponding to the Public Key in the Certificate suffered a Key Compromise"

I would like to request GoDaddy revoke the certificate and provide an incident 
report on this matter.
dev-security-policy mailing list

Reply via email to