Hello, I am a bit shocked about this case.
The fact that this happened to someone would restrain myself from reporting key compromises. Even though it is the company's fault to protect their private key, their lawers still might sue the incident-reporter. A judge might not understand the PKI system and therefore might tend to decide in favor of the company, because the company can proove that they lost XXX dollars revenue because of the service outtage. I think big companies have a lot of expensive lawers who might win such a case against a private person who might not even have the money for a good lawer at all. In re privacy: Telling someone the name and/or email address of a person without their consent is a clear violation of the GDPR (European General Data Protection Regulation), in case European law applies. Publishing the name and/or email address online (e.g. in the incident template) is even worse. Take care, Daniel Am Montag, 19. August 2019 16:26:06 UTC+2 schrieb Mathew Hodson: > Tom Wassenberg on Twitter reported an experience he had with Sectigo > when reporting a compromised private key. > > https://twitter.com/tomwas54/status/1162114413148725248 > https://twitter.com/tomwas54/status/1162114465065840640 > https://twitter.com/tomwas54/status/1162114495017299976 > > "So a few weeks ago, I came across a private key used for a TLS > certificate, posted online. These should never be public (hence the > "private"), and every trusted CA is obliged to revoke any certificate > they issued when they become aware its private key is compromised. > > "So when I informed the issuing CA (@SectigoHQ) about this, they > promptly revoked the cert. Two weeks later however, I receive an angry > email from the company using the cert (cc'd to their lawyer), blaming > me for a disruption in the services they provide. > > "The company explicitly mentioned @SectigoHQ "was so kind" to give > them my contact info! It was a complete surprise for me that > @SectigoHQ would do this without my consent. Especially seeing how the > info was used to badger me." > > If these situations were common, it could create a chilling effect on > problem reporting that would hurt the WebPKI ecosystem. Are specific > procedures and handling of contact information in these situations > covered by the BRs or Mozilla policy? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
