At 2020-03-20 03:02:43 UTC, I sent a notification to
ssla...@sectigo.com
that certificate
https://crt.sh/?id=1659219230 was using a private key with
SPKI fingerprint
4c67cc2eb491585488bab29a89899e4e997648c7047c59e99a67c6123434f1eb, which was
compromised due to being publicly disclosed. My e-mail included a link to a
PKCS#10 attestation of compromise, signed by the key at issue. An MX server
for
sectigo.com accepted this e-mail at 2020-03-20 03:02:50 UTC.
This certificate was revoked by Sectigo, with a revocation timestamp of
2020-03-20 19:37:48 UTC.
Subsequently, certificate
https://crt.sh/?id=2614798141 was issued by
Sectigo, and uses a private key with the same SPKI as that previously
reported. This certificate has a notBefore of Mar 23 00:00:00 2020 GMT, and
embeds two SCTs issued at 2020-03-23 05:55:53 UTC. At the time of writing,
the crt.sh revocation table does not show this certificate as revoked either
via CRL or OCSP:
Mechanism Provider Status Revocation Date Last Observed in CRL Last Checked (Error)
OCSP The CA Good n/a n/a 2020-03-27 06:27:23 UTC
CRL The CA Not Revoked n/a n/a 2020-03-27 04:44:26 UTC
Based on previous discussions on m.d.s.p, I believe Sectigo's failure to
revoke this certificate within 24 hours of its issuance is a violation of
the BRs, and hence Mozilla policy.
- Matt