On Mon, May 04, 2020 at 08:45:34AM -0700, sandybar497--- via dev-security-policy wrote: > Additionally, Sectigo referred to pwnedkeys as > some sort of authority that they say it’s not compromised.
Bless their little cotton socks, pwnedkeys is now such an authority that Sectigo thinks I've got every compromised key in existence. I feel so validated. > The necessary evidence was provided to Sectigo and they have thus far > failed to deal with the evidence or clearly articulate reasons for > concluding this case to not be a compromise. What I've found works best when reporting these cases to m.d.s.p is to provide all the (substantive) correspondence, exactly as it was sent/received, along with UTC timestamps. That allows for independent assessment that Sectigo has, in fact, fallen down on the job, rather than it being possible that there's just a big ol' misunderstanding going on. Here's an example of the sort of thing I mean: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wtM7uX1stIA - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
