1. 16

  2. 6

    Somebody is lying, I wonder who?


    Further, Jeremy Rowley of DigiCert sent an e-mail to us requesting the following :

    “Can you please send a listing of the certificate serial numbers along with their private keys? Once we get that list, we’ll confirm the private key and revoke the certs as requested. Thanks!”

    Trustico® followed the requests of DigiCert by initially recovering Private Keys from cold storage and subsequently e-mailing the associated order number and Private Keys to DigiCert in a ZIP file. The file did not contain any other type of data.

    Trustico® allows customers to generate a Certificate Signing Request and Private Key during the ordering process. These Private Keys are stored in cold storage, for the purpose of revocation.

    By Djikstra’s Whiskers, this all gets weirder and stupider the more I read.

    1. 3

      Looks like a long email thread has some more info.

      What appears to be a reasonable summary, from one of the emails in the thread:

      From what I’ve read, it appears the situation here is that Trustico wanted to revoke all their customer certs from Digicert so they could do a mass migration to another CA (which is not a proper reason to revoke). When asked for proof by Digicert that the certificates were compromised and needed to be revoked, Trustico sent Digicert 23,000(!) private keys that they had stored due to the fact that they were generated by their web-based system in order to effectively make them compromised.

      1. 3

        DigiCert is the only CA I know that hasn’t fucked up badly and has a good process in place.

        1. 1

          Does anyone have the above-linked trustico link cached? Firefox is rejecting its SSL/TLS cert for me.

          1. 2

            I used a website to take an image capture of it: https://imgur.com/a/wmiYA

            1. 1

              It’s Dijkstra’s Whiskers :^)