← GoDaddy cases
Bugzilla #1640310
Certificate Problem Report
GoDaddy: Failure to revoke certificate with compromised key within 24 hours
RESOLVED
FIXED
GoDaddy
AI Summary
GoDaddy faced an issue where a certificate with a compromised key was not revoked within the required 24-hour timeframe. The CA was alerted to the problem via a report on Mozilla's security policy forum. Following an internal investigation, GoDaddy confirmed the certificate was revoked within the stipulated time after confirming the compromise. However, they later acknowledged a misunderstanding of the revocation requirements, leading to updates in their processes. GoDaddy has since implemented a timing matrix to ensure compliance with revocation timelines and has reported additional certificates affected by the same issue.
Chronology
- Received a certificate problem report indicating a possible key compromise.
- Certificate was revoked due to key compromise.
- Internal analysis concluded the certificate was revoked within 24 hours.
- GoDaddy acknowledged the inquiry and committed to a community response.
- GoDaddy shared a timing matrix to improve compliance with revocation requirements.
Participants
Daniela Hood
Ryan Sleevi
Matt Palmer
Ben Wilson
External References
Similar Local Cases
DigiCert: Failure to revoke key-compromised certificates within 24 hours
GoDaddy: Agreed-Upon Website Domain Validation Method Issue
GoDaddy: OV Documentation Reuse
GoDaddy: Document Reuse Issue
GoDaddy: Expired CRLs
Sectigo: Failure to revoke key-compromised certificates
GlobalSign: Failure to revoke noncompliant ICA within 7 days
GoDaddy: failure to revoke underscores