On Friday, May 15, 2020 at 7:30:45 AM UTC+10, Ryan Sleevi wrote: > Do you have a copy of the OCSP response? > > With such issues, we may need signed artifacts to demonstrate > non-compliance. For example, it shows as revoked via both OCSP and CRL > for me. > > On Thu, May 14, 2020 at 4:32 PM sandybar497--- via dev-security-policy > <[email protected]> wrote: > > > > On 7 May 2020 at 12:07:07 PM UTC I reported a certificate to GoDaddy at > > [email protected] as having its private key compromised. > > > > I received the automated acknowledgement confirmation, however, as of > > 2020-05-09 03:39:36 UTC (well after 24 hours), OCSP still shows the > > certificate as being "Good" > > > > The unrevoked certificate is https://crt.sh/?id=2366734355 > > > > I believe this is a breach of the CA-BR [4.9.1.1. Reasons for Revoking a > > Subscriber Certificate] - > > > > "The CA SHALL revoke a Certificate within 24 hours if one or more of the > > following occurs"...."The CA obtains evidence that the Subscriber's Private > > Key corresponding to the Public Key in the Certificate suffered a Key > > Compromise" > > > > I would like to request GoDaddy revoke the certificate and provide an > > incident report on this matter. > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy
I actually submitted this post 6 days ago and was only just approved today.. is there a lack of resources approving blog posts? just don't see how it's helpful when posts show up so late. As noted, I sampled the OCSP responder well after 24 hours and the cert had not been revoked yet. I don't have a signed copy to share as i didn't save it but I don't think it's necessary since it still took GoDaddy over 24 hours to revoke. If you compare report timestamp with ocsp timestamp the difference is approximately 28hrs and 48mins. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
