IIRC we recently passed a CABF ballot that the CPS must contain instructions for submitting problem reports in a specific section of its CPS, in an attempt to solve problems like this. This winter or early spring, if my memory is correct.
-Tim > -----Original Message----- > From: dev-security-policy <[email protected]> On > Behalf Of Alex Cohn via dev-security-policy > Sent: Wednesday, August 8, 2018 4:01 PM > To: [email protected] > Cc: [email protected]; [email protected]; > [email protected] > Subject: Re: localhost.megasyncloopback.mega.nz private key in client > > On Wed, Aug 8, 2018 at 9:17 AM Hanno Böck <[email protected]> wrote: > > > > > As of today this is still unrevoked: > > https://crt.sh/?id=630835231&opt=ocsp > > > > Given Comodo's abuse contact was CCed in this mail I assume they knew > > about this since Sunday. Thus we're way past the 24 hour in which they > > should revoke it. > > > > -- > > Hanno Böck > > https://hboeck.de/ > > > As Hanno has no doubt learned, the [email protected] address > bounces. > I got that address off of Comodo CA's website at > https://www.comodoca.com/en-us/support/report-abuse/. > > I later found the address "[email protected]" in Comodo's latest CPS, > and forwarded my last message to it on 2018-08-05 at 20:32 CDT (UTC-5). I > received an automated confirmation immediately afterward, so I assume > Comodo has now known about this issue for ~70 hours now. > > crt.sh lists [email protected] as the "problem reporting" address for > the cert in question. I have not tried this address. > > Comodo publishes at least three different problem reporting email addresses, > and at least one of them is nonfunctional. I think similar issues have come up > before - there's often not a clear way to identify how to contact a CA. Should > we revisit the topic? > > Alex > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
