Hanno you downplay your own research. In particular when 16 years of CVE-2008-0166 <https://16years.secvuln.info/>Debian OpenSSL Bug <https://16years.secvuln.info/> was published I did take note of how long it took until the DKIM keys were removed, and it was longer than 24 hours. 2024-05-13 15:00 UTC was when it was removed from DNS that I saw - at least 32 hours after that post was made.
I presume you had direct contact with Entrust prior to that publication as well? How long did you notice it took them to handle that known-compromised key? On Friday, July 5, 2024 at 8:58:59 PM UTC+1 Hanno Böck wrote: > Hi, > > On Thu, 27 Jun 2024 14:19:40 -0600 > "'Kurt Seifried' via CCADB Public" <[email protected]> wrote: > > > Question: what about CN = Entrust Verified Mark Root Certification > > Authority - VMCR1 which is used for BIMI logos for example and > > supported in Gmail? Will Gmail be removing support for Entrust based > > VMC certificates and thus BIMI logos done via Entrust? > > In this context, possibly interesting: I had recently discovered that > many VMCs issued by Entrust were not compliant with the BIMI SVG > profile. I had made that public on the IETF BIMI list: > https://mailarchive.ietf.org/arch/msg/bimi/xzYRH72V2HE9xeUfXK_zUgYSI7k/ > > Entrust handled the revocation reasonably well, but of course, > it raises questions how this could happen in the first place. > (I was more disappointed with Google's/GMail's reaction, or rather, > non-reaction) > > -- > Hanno Böck - Independent security researcher > https://itsec.hboeck.de/ > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/895fe884-87c2-4da2-a05b-d80c96850061n%40ccadb.org.
