We have purchased thousands of certificates using Trustico as a reseller within the last years.
Back in these days Trustico created CSR / Private Key pair within their online platform (Yes, you read it right - you can create CSR/Private Key on their webpage !!!) which was the default at this time and it is still possible to do so in their web interface. Regarding to our investigation they were only able to send the private keys for those certificates where the CSR / private key pair were generated within their online private key generating tool. This has to be the 23k amount of keys which Jeremy received. I am not aware of guidelines of the CA/B forum but keeping 23.000 (!) private keys at your online platform seems more than alarming and is careless and the public should be made aware of this fact. We do not know all aspects of parties involved but we suspect that this could be for economic reasons, because Trustico is offering a voucher for Comodo certificates in order to replace the revoked RapidSSL/GeoTrust/DigiCerts certificates now. Furthermore they are spreading FUD regarding the upcoming distrust in Google Chrome release and trying to force their customers to get a Comodo or Trustico-branded certificate. Very important: Do not revoke any certificate where Trustico is not able to provide the private key!!! _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy