On 7 May 2020 at 12:07:07 PM UTC I reported a certificate to GoDaddy at practi...@starfieldtech.com as having its private key compromised.
I received the automated acknowledgement confirmation, however, as of 2020-05-09 03:39:36 UTC (well after 24 hours), OCSP still shows the certificate as being "Good" The unrevoked certificate is https://crt.sh/?id=2366734355 I believe this is a breach of the CA-BR [4.9.1.1. Reasons for Revoking a Subscriber Certificate] - "The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs"...."The CA obtains evidence that the Subscriber's Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise" I would like to request GoDaddy revoke the certificate and provide an incident report on this matter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy