Three certificates were reported as having private keys which had
been publicly disclosed, by e-mailing [email protected] at
2020-03-20 03:05:14 UTC. E-mail was received by a QuoVadis server at
2020-03-20 03:05:18 UTC. As of 2020-03-22 05:17:37, OCSP still shows all of
these certificates as being "Good".
The unrevoked certificates are:
https://crt.sh/?id=2605016622
https://crt.sh/?id=1757153116
https://crt.sh/?id=1432019792
Interestingly, at least one other certificate using the same private key as
each of the above certificates, and also issued by QuoVadis, are now showing
as revoked, suggesting that (a) QuoVadis did indeed consider the private
keys as compromised, and (b) there are no caching or delayed publishing
issues at play here.
- Matt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
