On Wed, Feb 28, 2018 at 4:23 PM, urijah--- via dev-security-policy < [email protected]> wrote:
> Is Trustico's storage of private keys related to this security report from > a few months back (which did not appear to ever have been fully > investigated...)? > It was fully investigated. There's no evidence to suggest relation, other than there's no way to effectively make rules on that (other than the threat of revocation for breach of contract, which you can only demonstrate when you can prove it, which you'd revoke anyways) > > https://groups.google.com/d/msg/mozilla.dev.security.policy/CEww8w9q2zE/F_ > bzX1guCQAJ > > Does Digicert have (or will it have) some sort of process in place to > prevent resellers from storing private keys so casually? While well-intentioned, I don't think this is really a reasonable thing to ask/expect. If they had contractual requirements on resellers, it just means you'd have new entities spring up that are equivalent to resellers without the requirements. Would we similarly require that hosting providers don't store the private keys? It's the same conceptual issue. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
