On Thu, May 30, 2024 at 11:23:03AM -0400, Mike Shaver wrote: > But then, I wonder, what are these companies expected to do if there is a > key compromise?
I can't tell you what they *expected* to do, but I can tell you exactly what they *actually* do: 1. they contact the person who publicised the key compromise, very strongly suggesting that the blog post describing the compromise be taken down. 2. they contact the places where the blog post was publicised, and pressure them into removing / editing the publication. 3. they replace the certificate on the live site about 10 days later. 4. they never contact the issuing CA to request revocation of the compromised certificate, leaving everyone exactly as exposed to interception as if they'd never bothered to replace the certificate in the first place. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7a7bfee6-ae69-4bfe-ae45-155c91909a86%40mtasv.net.
