Re: Reported Digicert key compromise but not revoked
Thanks for that. So now I should send another email to rev...@digicert.com or just wait for revocation? And who should I contact if this address doesn't work? 在 2019年5月10日星期五 UTC+8上午8:26:09,Jeremy Rowley写道: > No argument from me there. We generally act on them no matter what. > Typically any email sent to supp...@digicert.com requesting revocation is > forwarded to rev...@digicert.com. That's the standard procedure. This one > was missed unfortunately. > > -Original Message- > From: dev-security-policy On > Behalf Of Daniel Marschall via dev-security-policy > Sent: Thursday, May 9, 2019 4:16 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Reported Digicert key compromise but not revoked > > I personally do think that it matters to this forum. A CA - no matter what > kind of certificates it issues - must take revocation requests seriously and > act immediately, even if the email is sent to the wrong address. If an > employee at the help desk is unable to forward revocation requests, or needs > several weeks to reply, then there is something not correct with the CA, no > matter if the revocation request is related to a web certificate or code > signing certificate. That's my opinion on this case. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Reported Digicert key compromise but not revoked
No argument from me there. We generally act on them no matter what. Typically any email sent to supp...@digicert.com requesting revocation is forwarded to rev...@digicert.com. That's the standard procedure. This one was missed unfortunately. -Original Message- From: dev-security-policy On Behalf Of Daniel Marschall via dev-security-policy Sent: Thursday, May 9, 2019 4:16 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Reported Digicert key compromise but not revoked I personally do think that it matters to this forum. A CA - no matter what kind of certificates it issues - must take revocation requests seriously and act immediately, even if the email is sent to the wrong address. If an employee at the help desk is unable to forward revocation requests, or needs several weeks to reply, then there is something not correct with the CA, no matter if the revocation request is related to a web certificate or code signing certificate. That's my opinion on this case. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Reported Digicert key compromise but not revoked
Thanks Wayne. We’ll update our CPS to keep it clear. From: Wayne Thayer Sent: Thursday, May 9, 2019 5:04 PM To: Andrew Ayer Cc: Jeremy Rowley ; Jeremy Rowley via dev-security-policy Subject: Re: Reported Digicert key compromise but not revoked DigiCert CPS section 1.5.2 [1] could also more clearly state that rev...@digicert.com <mailto:rev...@digicert.com> is the correct address for 'reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates.' Since both email addresses are listed in that section, it's not difficult to mistake supp...@digicert.com <mailto:supp...@digicert.com> as the problem reporting mechanism, even though the last sentence in 1.5.2.1 implies that rev...@digicert.com <mailto:rev...@digicert.com> is for problem reporting. - Wayne [1] https://www.digicert.com/wp-content/uploads/2019/04/DigiCert_CPS_v418.pdf On Thu, May 9, 2019 at 3:46 PM Andrew Ayer via dev-security-policy mailto:dev-security-policy@lists.mozilla.org> > wrote: On Thu, 9 May 2019 14:47:05 + Jeremy Rowley via dev-security-policy mailto:dev-security-policy@lists.mozilla.org> > wrote: > Hi Han - the proper alias is rev...@digicert.com <mailto:rev...@digicert.com> > . The support alias > will sometimes handle these, but not always. Is that also true of SSL certificates? supp...@digicert.com <mailto:supp...@digicert.com> is listed first at https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport That should be fixed if supp...@digicert.com <mailto:supp...@digicert.com> is not the right place to report problems with SSL certificates. Regards, Andrew ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Reported Digicert key compromise but not revoked
DigiCert CPS section 1.5.2 [1] could also more clearly state that rev...@digicert.com is the correct address for 'reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates.' Since both email addresses are listed in that section, it's not difficult to mistake supp...@digicert.com as the problem reporting mechanism, even though the last sentence in 1.5.2.1 implies that rev...@digicert.com is for problem reporting. - Wayne [1] https://www.digicert.com/wp-content/uploads/2019/04/DigiCert_CPS_v418.pdf On Thu, May 9, 2019 at 3:46 PM Andrew Ayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, 9 May 2019 14:47:05 + > Jeremy Rowley via dev-security-policy > wrote: > > > Hi Han - the proper alias is rev...@digicert.com. The support alias > > will sometimes handle these, but not always. > > Is that also true of SSL certificates? supp...@digicert.com is listed > first at > > https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport > > That should be fixed if supp...@digicert.com is not the right place to > report problems with SSL certificates. > > Regards, > Andrew > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Reported Digicert key compromise but not revoked
Thanks Andrew. Yes - it should be rev...@digicert.com -Original Message- From: Andrew Ayer Sent: Thursday, May 9, 2019 4:46 PM To: Jeremy Rowley Cc: Jeremy Rowley via dev-security-policy Subject: Re: Reported Digicert key compromise but not revoked On Thu, 9 May 2019 14:47:05 + Jeremy Rowley via dev-security-policy wrote: > Hi Han - the proper alias is rev...@digicert.com. The support alias > will sometimes handle these, but not always. Is that also true of SSL certificates? supp...@digicert.com is listed first at https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsRepo rt That should be fixed if supp...@digicert.com is not the right place to report problems with SSL certificates. Regards, Andrew smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Reported Digicert key compromise but not revoked
On Thu, 9 May 2019 14:47:05 + Jeremy Rowley via dev-security-policy wrote: > Hi Han - the proper alias is rev...@digicert.com. The support alias > will sometimes handle these, but not always. Is that also true of SSL certificates? supp...@digicert.com is listed first at https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport That should be fixed if supp...@digicert.com is not the right place to report problems with SSL certificates. Regards, Andrew ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Reported Digicert key compromise but not revoked
I personally do think that it matters to this forum. A CA - no matter what kind of certificates it issues - must take revocation requests seriously and act immediately, even if the email is sent to the wrong address. If an employee at the help desk is unable to forward revocation requests, or needs several weeks to reply, then there is something not correct with the CA, no matter if the revocation request is related to a web certificate or code signing certificate. That's my opinion on this case. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Reported Digicert key compromise but not revoked
Hi Han - the proper alias is rev...@digicert.com. The support alias will sometimes handle these, but not always. We picked up the request from your post here and are working on it. Of course, this is out of scope of the Mozilla policy since its code signing only. -Original Message- From: dev-security-policy On Behalf Of Ryan Sleevi via dev-security-policy Sent: Thursday, May 9, 2019 8:37 AM To: Han Yuwei Cc: mozilla-dev-security-policy Subject: Re: Reported Digicert key compromise but not revoked On Thu, May 9, 2019 at 8:59 AM Han Yuwei via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi m.d.s.p > I have reported a key compromise incident to digicert by contacting > support(at)digicert.com at Apr.13, 2019 and get replied at same day. > But it seems like this certificate is still valid. > This certificate is a code signing certificate and known for signing > malware. So I am here to report this to Digicert. If private key is > needed I will attach it. > > Certificate Info. > CN:Beijing Founder Apabi Technology Limited > SN: 06B7AA2C37C0876CCB0378D895D71041 > SHA1: 8564928AA4FBC4BBECF65B402503B2BE3DC60D4D > Typically, we have not dealt with issues related to code signing in this forum - particularly the evaluation and enforcement of policies. For example, the information provided doesn't allow us to distinguish whether there is even a remote chance of overlap with the activity here (e.g. with respect to audits and the CP/CPS) Have you considered reporting this to Microsoft, as I presume that's the platform concern? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Reported Digicert key compromise but not revoked
On Thu, May 9, 2019 at 8:59 AM Han Yuwei via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi m.d.s.p > I have reported a key compromise incident to digicert by contacting > support(at)digicert.com at Apr.13, 2019 and get replied at same day. But > it seems like this certificate is still valid. > This certificate is a code signing certificate and known for signing > malware. So I am here to report this to Digicert. If private key is needed > I will attach it. > > Certificate Info. > CN:Beijing Founder Apabi Technology Limited > SN: 06B7AA2C37C0876CCB0378D895D71041 > SHA1: 8564928AA4FBC4BBECF65B402503B2BE3DC60D4D > Typically, we have not dealt with issues related to code signing in this forum - particularly the evaluation and enforcement of policies. For example, the information provided doesn't allow us to distinguish whether there is even a remote chance of overlap with the activity here (e.g. with respect to audits and the CP/CPS) Have you considered reporting this to Microsoft, as I presume that's the platform concern? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy