(In reply to Matthew McPherrin from comment #8) > In this case, Fina was self-issuing themselves a certificate, and there was no problem relating to the private key. Cloudflare (for 1.1.1.1) was never a subscriber, so the fact that they don't have control of the key isn't relevant. First of all, there is a core misunderstanding here. The primary duty of a CA is not to their subscribers but to the general public who trusts their certificates. Given that, any private key for a domain or IP address certificate which is controlled by someone other than the owner (or an entity chosen by the owner, e.g., an employee or a service partner) is a breach. And why does this matter? Different revocation reasons have different meanings. Some mean: “This certificate is not used any longer. Do not trust it in the future.” Others mean: “This certificate was not secure the whole time. Do not trust any past, present or future uses.” In one case, a document signed in the past can still be considered valid, in the other case not.
Bug 1986968 Comment 9 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Matthew McPherrin from comment #8) > In this case, Fina was self-issuing themselves a certificate, and there was no problem relating to the private key. Cloudflare (for 1.1.1.1) was never a subscriber, so the fact that they don't have control of the key isn't relevant. First of all, there is a core misunderstanding here. The primary duty of a CA is not to their subscribers but to the general public who trusts their certificates. Given that, any private key for a domain or IP address certificate which is controlled by someone other than the owner (or an entity chosen by the owner, e.g., an employee or a service partner) is a breach. And why does this matter? Different revocation reasons have different meanings. Some mean: “This certificate is not used any longer. Do not trust it in the future.” Others mean: “This certificate was not secure the whole time. Do not trust any past, present or future uses.” In one case, a document signed in the past can still be considered valid, in the other case not. The certificate for 1.1.1.1 has the revocation code “cessationOfOperation”, which does not fit at all. https://crt.sh/?id=20582951233 https://wiki.mozilla.org/CA/Revocation_Reasons