At 2020-03-20 03:02:43 UTC, I sent a notification to [email protected] that certificate https://crt.sh/?id=1659219230 was using a private key with SPKI fingerprint 4c67cc2eb491585488bab29a89899e4e997648c7047c59e99a67c6123434f1eb, which was compromised due to being publicly disclosed. My e-mail included a link to a PKCS#10 attestation of compromise, signed by the key at issue. An MX server for sectigo.com accepted this e-mail at 2020-03-20 03:02:50 UTC.
This certificate was revoked by Sectigo, with a revocation timestamp of 2020-03-20 19:37:48 UTC. Subsequently, certificate https://crt.sh/?id=2614798141 was issued by Sectigo, and uses a private key with the same SPKI as that previously reported. This certificate has a notBefore of Mar 23 00:00:00 2020 GMT, and embeds two SCTs issued at 2020-03-23 05:55:53 UTC. At the time of writing, the crt.sh revocation table does not show this certificate as revoked either via CRL or OCSP: Mechanism Provider Status Revocation Date Last Observed in CRL Last Checked (Error) OCSP The CA Good n/a n/a 2020-03-27 06:27:23 UTC CRL The CA Not Revoked n/a n/a 2020-03-27 04:44:26 UTC Based on previous discussions on m.d.s.p, I believe Sectigo's failure to revoke this certificate within 24 hours of its issuance is a violation of the BRs, and hence Mozilla policy. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
