News

DigiCert revokes 23,000 certificates after receiving private keys

By admin
Spread the love

The American certificate authority DigiCert has decided to revoke 23,000 certificates belonging to customers of the reseller Trustico. This decision was the result of receiving the associated private keys via email from Trustico.

DigiCert writes in a statement that receiving the private keys meant that the revocation process had to be initiated according to the rules of the CA/Browser Forum, because their security is no longer certain. This means that the certificates must be withdrawn within 24 hours. The Register writes that the company subsequently sent an email to the affected customers of Trustico, which had sold the certificates. Trustico says that email should never have been sent by DigiCert.

On a Mozilla mailing list, DigiCert’s Jeremy Rowley describes his side of the story, claiming that Trustico requested DigiCert to revoke 50,000 certificates in early February. DigiCert did not immediately do this, because it was not clear to the company whether a reseller could do this instead of the customer. Trustico then claimed that the certificates were no longer secure and therefore had to be revoked, Rowley said. When DigiCert requested proof, the company sent the corresponding private keys via email. This meant that DigiCert had no choice but to revoke the certificates.

Trustico has featured its own version of the events in a blog post. In it, it claims that it no longer believed in the security of the certificates it had purchased from Symantec, which sold its certificate business to DigiCert last year. That is why it wanted to have it revoked by DigiCert. In the blog post, it also mentions an email exchange, in which it eventually proceeded to send the aforementioned private keys.

The company owned it because “it stored the keys in cold storage for revocation purposes after they were created.” Various security experts state that anyone other than the certificate holder, in this case Trustico’s customers, is not intended to have access to the private key. This would amount to a “huge security flaw.” After all, by being in possession of a private key, someone can pretend to be the owner of the certificate.

According to The Register, the background is that Trustico decided this month to no longer offer Symantec certificates. It said the decision is related to the point that Google will withdraw its trust in these certificates in the coming months. Trustico therefore said it would switch to Comodo certificates. The Register writes that it appears that website owners have fallen victim to a ‘territory battle’ between DigiCert and Trustico.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

Blizzard will release certain games via Steam, starting with Overwatch 2

News

EU Council determines position on security requirements for digital products

News

Microsoft announces Bing Chat Enterprise and Copilot pricing for businesses

News

ASUS will produce and support NUC mini PCs after Intel exit

News

Meta introduces open source language model Llama 2, works on PCs and phones