They asked Digicert (new owners of the Symantec root), who said, no, we won't revoke just because the web host asks, we only revoke on compromise.
-
Show this thread
-
I'm guessing Digicert also said, by way of clarification, that one thing that would cause them to revoke certs is the private key being disclosed.
1 reply 16 retweets 91 likesShow this thread -
At which point Trustico's CEO decided to EMAIL 23,000 CUSTOMER PRIVATE KEYS to Digicert, apparently in order to trigger that clause.
9 replies 108 retweets 335 likesShow this thread -
Turns out Trustico has an online private key generator, and probably logged all the customer private keys generated that way.
4 replies 32 retweets 144 likesShow this thread -
Digicert reached out to the Mozilla security policy list for help managing a massive revocation, and also emailed all Trustico customers as a heads up.
2 replies 11 retweets 113 likesShow this thread -
Then Trustico responds angrily to the list objecting to this being called a "compromise", and calls Digicert's email "absolutely defamatory."
1 reply 10 retweets 124 likesShow this thread -
https://www.digicert.com/blog/digicert-statement-trustico-certificate-revocation/ … https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wxX4Yv0E3Mk …https://www.reddit.com/r/sysadmin/comments/80uaq3/digicert_certificates_being_revoked/ …
2 replies 14 retweets 113 likesShow this thread -
Oh, correction, Trustico isn't a web host, they're an SSL reseller.
2 replies 13 retweets 146 likesShow this thread -
Replying to @geofft
Wait, they're not a web host but they're generating & holding copies of the private keys? That alone should be cause for revocation of CA cert.
1 reply 0 retweets 6 likes -
Replying to @RichFelker
Yeah, there's some discussion of that on the CA/Browser Forum list: https://cabforum.org/pipermail/public/2018-February/013034.html … They don't have a CA of their own, they just resell.
1 reply 0 retweets 2 likes
The CA who lets them resell should get revoked if they don't cut them off.
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.