Since I started requesting revocation for certificates with known-compromised private keys, I've noticed a rather disturbing pattern emerging in a few cases:
1. I find a private key on the Internet. 2. I request revocation from the CA on the basis that the private key is compromised, and provide suitable evidence thereof. 3. The certificate is revoked. 4. Some time later, I discover that a new certificate, using the same private key, has been issued by the same CA. (Mad props to CT!) 5. "Da wah?!?" I say, and scurry off to the BRs and Mozilla Root Store Policy, only to find that there doesn't appear to be anything explicitly covering this rather disconcerting situation. So, I'm asking the combined wisdom of this esteemed community the following questions: 1. *Are* there explicit prohibitions on issuing a certificate for a private key which has been previously submitted *to that CA* as compromised (assuming, of course, that the prior submission was valid), and I'm just not good at finding said prohibitions? 2. If there are not explicit prohibitions already in place, *should* there be? If so, should it be a BR thing, or a Policy thing? 3. Can a CA be deemed to have "obtained evidence" of key compromise prior to the issuance of a certificate, via a previously-submitted key compromise problem report for the same private key? If so, it would seem that, even if the issuance of the certificate is OK, it is a failure-to-revoke incident if the cert doesn't get revoked within 24 hours... I greatly appreciate answers and general commentary from the learned members of this community. Thanks, - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
