Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Sectigo: Failure to process revocation request within 24 hours
225 views
Skip to first unread message
Matt Palmer
Mar 2, 2020, 2:59:16 AM3/2/20
to dev-secur...@lists.mozilla.org
Between 26 Feb 2020 00:48:11 UTC and 26 Feb 2020 21:10:18 UTC, I sent three
Certificate Problem Reports to ssla...@sectigo.com, reporting that
certificates issued by then were using keys which have been compromised due
to being publicly disclosed. As of the time of writing, I have not received
a preliminary report of Sectigo's findings, as I believe is required by
section 4.9.5 of the Baseline Requirements.
In each case, I received an auto-acknowledgement e-mail containing a case
number, which indicates that Sectigo did, in fact, receive my problem
report.
Due to a mistake on my part, the evidence I provided to Sectigo was not
sufficient to verify that the key was in fact compromised, so I am not
claiming that Sectigo has fallen foul of BR s4.9.1.1. However, as BR s4.9.5
require a report to be provided within 24 hours, I still believe Sectigo
has an operational deficiency which requires investigation.
The times of the e-mails I sent, the Sectigo case number I received in
response, and the further responses I have received from Sectigo, if any,
are detailed below. All times are taken from the `Date` header of the
relevant e-mail, adjusted to UTC if required.
Case #00572387
https://crt.sh/?id=2455920199
Sent: 26 Feb 2020 00:48:11 +0000
Auto-ack: 26 Feb 2020 00:48:24 +0000
At 27 Feb 2020 19:15:10 +0000, I received an e-mail purporting to be from
Sectigo Security, quoting my initial report, and saying "we will look into
this right away". Note that even this response, which I do not consider
qualifies as a "preliminary report", was sent over 24 hours after the
initial problem report.
No further response has been received since then.
Case #00572465
https://crt.sh/?id=2413850414
Sent: 26 Feb 2020 05:07:34 +0000
Auto-ack: 26 Feb 2020 05:07:45 +0000
No further response has been received since the auto-acknowledgement.
Case #00573105
https://crt.sh/?id=683622319
Sent: Wed, 26 Feb 2020 21:10:18 +0000
Auto-ack: Wed, 26 Feb 2020 21:10:32 +0000
No further response has been received since the auto-acknowledgement.
- Matt
Certificate Problem Reports to ssla...@sectigo.com, reporting that
certificates issued by then were using keys which have been compromised due
to being publicly disclosed. As of the time of writing, I have not received
a preliminary report of Sectigo's findings, as I believe is required by
section 4.9.5 of the Baseline Requirements.
In each case, I received an auto-acknowledgement e-mail containing a case
number, which indicates that Sectigo did, in fact, receive my problem
report.
Due to a mistake on my part, the evidence I provided to Sectigo was not
sufficient to verify that the key was in fact compromised, so I am not
claiming that Sectigo has fallen foul of BR s4.9.1.1. However, as BR s4.9.5
require a report to be provided within 24 hours, I still believe Sectigo
has an operational deficiency which requires investigation.
The times of the e-mails I sent, the Sectigo case number I received in
response, and the further responses I have received from Sectigo, if any,
are detailed below. All times are taken from the `Date` header of the
relevant e-mail, adjusted to UTC if required.
Case #00572387
https://crt.sh/?id=2455920199
Sent: 26 Feb 2020 00:48:11 +0000
Auto-ack: 26 Feb 2020 00:48:24 +0000
At 27 Feb 2020 19:15:10 +0000, I received an e-mail purporting to be from
Sectigo Security, quoting my initial report, and saying "we will look into
this right away". Note that even this response, which I do not consider
qualifies as a "preliminary report", was sent over 24 hours after the
initial problem report.
No further response has been received since then.
Case #00572465
https://crt.sh/?id=2413850414
Sent: 26 Feb 2020 05:07:34 +0000
Auto-ack: 26 Feb 2020 05:07:45 +0000
No further response has been received since the auto-acknowledgement.
Case #00573105
https://crt.sh/?id=683622319
Sent: Wed, 26 Feb 2020 21:10:18 +0000
Auto-ack: Wed, 26 Feb 2020 21:10:32 +0000
No further response has been received since the auto-acknowledgement.
- Matt
Ryan Sleevi
Mar 2, 2020, 1:01:54 PM3/2/20
to Matt Palmer, MDSP
Thanks. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1619359 to
track this
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
track this
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
0 new messages