No argument from me there. We generally act on them no matter what. Typically any email sent to [email protected] requesting revocation is forwarded to [email protected]. That's the standard procedure. This one was missed unfortunately.
-----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Daniel Marschall via dev-security-policy Sent: Thursday, May 9, 2019 4:16 PM To: [email protected] Subject: RE: Reported Digicert key compromise but not revoked I personally do think that it matters to this forum. A CA - no matter what kind of certificates it issues - must take revocation requests seriously and act immediately, even if the email is sent to the wrong address. If an employee at the help desk is unable to forward revocation requests, or needs several weeks to reply, then there is something not correct with the CA, no matter if the revocation request is related to a web certificate or code signing certificate. That's my opinion on this case. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
