subject:"Sectigo\: Failure to process revocation request within 24 hours"

Re: Sectigo: Failure to process revocation request within 24 hours

2020-03-02 Thread Ryan Sleevi via dev-security-policy

Thanks. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1619359 to
track this

On Mon, Mar 2, 2020 at 2:59 AM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Between 26 Feb 2020 00:48:11 UTC and 26 Feb 2020 21:10:18 UTC, I sent three
> Certificate Problem Reports to sslab...@sectigo.com, reporting that
> certificates issued by then were using keys which have been compromised due
> to being publicly disclosed.  As of the time of writing, I have not
> received
> a preliminary report of Sectigo's findings, as I believe is required by
> section 4.9.5 of the Baseline Requirements.
>
> In each case, I received an auto-acknowledgement e-mail containing a case
> number, which indicates that Sectigo did, in fact, receive my problem
> report.
>
> Due to a mistake on my part, the evidence I provided to Sectigo was not
> sufficient to verify that the key was in fact compromised, so I am not
> claiming that Sectigo has fallen foul of BR s4.9.1.1.  However, as BR
> s4.9.5
> require a report to be provided within 24 hours, I still believe Sectigo
> has an operational deficiency which requires investigation.
>
> The times of the e-mails I sent, the Sectigo case number I received in
> response, and the further responses I have received from Sectigo, if any,
> are detailed below.  All times are taken from the `Date` header of the
> relevant e-mail, adjusted to UTC if required.
>
> Case #00572387
>   https://crt.sh/?id=2455920199
>   Sent: 26 Feb 2020 00:48:11 +
>   Auto-ack: 26 Feb 2020 00:48:24 +
>
>   At 27 Feb 2020 19:15:10 +, I received an e-mail purporting to be from
>   Sectigo Security, quoting my initial report, and saying "we will look
> into
>   this right away".  Note that even this response, which I do not consider
>   qualifies as a "preliminary report", was sent over 24 hours after the
>   initial problem report.
>
>   No further response has been received since then.
>
>
> Case #00572465
>   https://crt.sh/?id=2413850414
>   Sent: 26 Feb 2020 05:07:34 +
>   Auto-ack: 26 Feb 2020 05:07:45 +
>
>   No further response has been received since the auto-acknowledgement.
>
>
> Case #00573105
>   https://crt.sh/?id=683622319
>   Sent: Wed, 26 Feb 2020 21:10:18 +
>   Auto-ack: Wed, 26 Feb 2020 21:10:32 +
>
>   No further response has been received since the auto-acknowledgement.
>
> - Matt
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Sectigo: Failure to process revocation request within 24 hours

2020-03-01 Thread Matt Palmer via dev-security-policy

Between 26 Feb 2020 00:48:11 UTC and 26 Feb 2020 21:10:18 UTC, I sent three
Certificate Problem Reports to sslab...@sectigo.com, reporting that
certificates issued by then were using keys which have been compromised due
to being publicly disclosed.  As of the time of writing, I have not received
a preliminary report of Sectigo's findings, as I believe is required by
section 4.9.5 of the Baseline Requirements.

In each case, I received an auto-acknowledgement e-mail containing a case
number, which indicates that Sectigo did, in fact, receive my problem
report.

Due to a mistake on my part, the evidence I provided to Sectigo was not
sufficient to verify that the key was in fact compromised, so I am not
claiming that Sectigo has fallen foul of BR s4.9.1.1.  However, as BR s4.9.5
require a report to be provided within 24 hours, I still believe Sectigo
has an operational deficiency which requires investigation.

The times of the e-mails I sent, the Sectigo case number I received in
response, and the further responses I have received from Sectigo, if any,
are detailed below.  All times are taken from the `Date` header of the
relevant e-mail, adjusted to UTC if required.

Case #00572387
  https://crt.sh/?id=2455920199
  Sent: 26 Feb 2020 00:48:11 +
  Auto-ack: 26 Feb 2020 00:48:24 +

  At 27 Feb 2020 19:15:10 +, I received an e-mail purporting to be from
  Sectigo Security, quoting my initial report, and saying "we will look into
  this right away".  Note that even this response, which I do not consider
  qualifies as a "preliminary report", was sent over 24 hours after the
  initial problem report.

  No further response has been received since then.


Case #00572465
  https://crt.sh/?id=2413850414
  Sent: 26 Feb 2020 05:07:34 +
  Auto-ack: 26 Feb 2020 05:07:45 +

  No further response has been received since the auto-acknowledgement.


Case #00573105
  https://crt.sh/?id=683622319
  Sent: Wed, 26 Feb 2020 21:10:18 +
  Auto-ack: Wed, 26 Feb 2020 21:10:32 +

  No further response has been received since the auto-acknowledgement.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Sectigo: Failure to process revocation request within 24 hours

Sectigo: Failure to process revocation request within 24 hours

2 matches

Site Navigation

Mail list logo

Footer information