Re: Reported Digicert key compromise but not revoked

ity-policy > Sent: Thursday, May 9, 2019 4:16 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Reported Digicert key compromise but not revoked > > I personally do think that it matters to this forum. A CA - no matter what > kind of certificates it issues

RE: Reported Digicert key compromise but not revoked

olicy On Behalf Of Daniel Marschall via dev-security-policy Sent: Thursday, May 9, 2019 4:16 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Reported Digicert key compromise but not revoked I personally do think that it matters to this forum. A CA - no matter what kind of certificat

RE: Reported Digicert key compromise but not revoked

Thanks Wayne. We’ll update our CPS to keep it clear. From: Wayne Thayer Sent: Thursday, May 9, 2019 5:04 PM To: Andrew Ayer Cc: Jeremy Rowley ; Jeremy Rowley via dev-security-policy Subject: Re: Reported Digicert key compromise but not revoked DigiCert CPS section 1.5.2 [1] could also

Re: Reported Digicert key compromise but not revoked

DigiCert CPS section 1.5.2 [1] could also more clearly state that rev...@digicert.com is the correct address for 'reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to Certificates.' Since b

RE: Reported Digicert key compromise but not revoked

Thanks Andrew. Yes - it should be rev...@digicert.com -Original Message- From: Andrew Ayer Sent: Thursday, May 9, 2019 4:46 PM To: Jeremy Rowley Cc: Jeremy Rowley via dev-security-policy Subject: Re: Reported Digicert key compromise but not revoked On Thu, 9 May 2019 14:47:05 +

Re: Reported Digicert key compromise but not revoked

On Thu, 9 May 2019 14:47:05 + Jeremy Rowley via dev-security-policy wrote: > Hi Han - the proper alias is rev...@digicert.com. The support alias > will sometimes handle these, but not always. Is that also true of SSL certificates? supp...@digicert.com is listed first at https://ccadb-public

RE: Reported Digicert key compromise but not revoked

I personally do think that it matters to this forum. A CA - no matter what kind of certificates it issues - must take revocation requests seriously and act immediately, even if the email is sent to the wrong address. If an employee at the help desk is unable to forward revocation requests, or ne

RE: Reported Digicert key compromise but not revoked

: dev-security-policy On Behalf Of Ryan Sleevi via dev-security-policy Sent: Thursday, May 9, 2019 8:37 AM To: Han Yuwei Cc: mozilla-dev-security-policy Subject: Re: Reported Digicert key compromise but not revoked On Thu, May 9, 2019 at 8:59 AM Han Yuwei via dev-security-policy < dev-secur

Re: Reported Digicert key compromise but not revoked

On Thu, May 9, 2019 at 8:59 AM Han Yuwei via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi m.d.s.p > I have reported a key compromise incident to digicert by contacting > support(at)digicert.com at Apr.13, 2019 and get replied at same day. But > it seems like this certif

Reported Digicert key compromise but not revoked

Hi m.d.s.p I have reported a key compromise incident to digicert by contacting support(at)digicert.com at Apr.13, 2019 and get replied at same day. But it seems like this certificate is still valid. This certificate is a code signing certificate and known for signing malware. So I am here to rep