[agwa]

Important note: ZeroSSL is not a certificate authority but a certificate reseller who is paying an actual CA, Sectigo, to operate a white-label intermediate certificate with ZeroSSL in the name[1].

As a non-CA, ZeroSSL isn't required to provide an incident report or revoke any certificates like the researcher is requesting. Fortunately, their bad security can only impact their own customers, in contrast to a CA whose bad security can affect everyone.

[1] see https://www.agwa.name/blog/post/the_certificate_issuer_field...

[twiss]

Sectigo might be required to revoke them, then? There doesn't seem to be a requirement for the compromise to be Sectigo's fault, according to my reading of the Baseline Requirements [1]:

> The CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days if one or more of the following occurs: (...)

> 16. The CA is made aware of a demonstrated or proven method that exposes the Subscriber’s Private Key to compromise or if there is clear evidence that the specific method used to generate the Private Key was flawed.

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...