Matt, Thank you for sharing your experience with our problem reporting mechanism on this forum. It is due to this that we were able to get to the root of the issue. Here is some detail into what we saw.
Yesterday, we launched an investigation which included various members of the team researching this issue. We took this investigation as far as we could with the information we had and concluded that the CSR provided, as we read it, was malformed. We ran this CSR through various tools but were unable to successfully confirm validity. This morning, based on the statements in this forum, we discovered that our email system had misinterpreted the CSR formatting due to it being pasted in the body of the email. When we fix Base64 encoding, the CSR verifies. Upon this discovery we have initiated revocation to occur within the guidelines of 24 hours from obtaining evidence that the private key was compromised. We take key compromises very seriously and recognize the importance to the industry and health of the ecosystem. Lastly, we also noticed that the email you received was malformed, missing some of the required content for the OpenSSL command. This event has led to a review of our email system to learn how we can avoid malformed encoding issues in the future. Thank you, Joanna Fox GoDaddy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
