That's not what Trustico are saying in their fulfilment emails (received during
the purchase of a Trustico® certificate through Comodo CA this morning):
'If you chose to have us generate your CSR during the ordering process, you
will need to contact us for a copy of your corresponding Private Key. Your
Private Key is not included within this e-mail for security reasons.
If you decided to provide your own CSR, we don't have access to your Private
Key. It will already reside on your device or server.'
'If you chose to have us generate your CSR during the ordering process, your
Private Key will only be saved within our systems for the next 14 days.'
On Friday, 2 March 2018 17:29:36 UTC, Rob Stradling wrote:
> We also asked Trustico to cease offering any tools to generate and/or
> retain customer private keys. They have complied with this request and
> have confirmed that they do not intend to offer any such tools again in
> the future.
> Trustico have also confirmed to us that they were not, and are not, in
> possession of the private keys that correspond to any of the
> certificates that they have requested for their customers through Comodo CA.
> On 02/03/18 15:25, Rich Smith via dev-security-policy wrote:
> > Comodo CA has investigated the reports posted to this list relating to the
> > suspected compromise of the private key corresponding to
> > https://crt.sh/?id=206535041. Trustico have assured us that the private key
> > could not have been compromised. However, since it will be hard to convince
> > everyone that this is the case, Trustico have agreed to obtain a replacement
> > certificate with a new keypair. Once that new certificate has been
> > installed, Comodo CA will revoke https://crt.sh/?id=206535041.
> > Regards,
> > Rich Smith
> > Sr. Compliance Manager
> > Comodo CA
> Rob Stradling
> Senior Research & Development Scientist
dev-security-policy mailing list