On Mon, 5 Mar 2018 09:29:47 -0800 (PST) "okaphone.elektronika--- via dev-security-policy" <dev-security-policy@lists.mozilla.org> wrote:
> On Monday, 5 March 2018 18:10:17 UTC+1, okaphone.e...@gmail.com > wrote: > Ah, found it. It was tialaramex who suggested that this could be how > Trustico got the private keys. > https://www.reddit.com/r/sysadmin/comments/80uaq3/digicert_certificates_being_revoked/duyg6pn/ I wrote this comment in response to a redditor who claimed they'd received an email about this mass revocation although they were sure they'd used best practices in issuing a CSR. Now that we know in fact the reseller tried to have all certificates revoked regardless of whether they had the private keys (and DigiCert not unreasonably balked at doing this) it is likely the redditor in question had got an email from their reseller and their cert was not eventually revoked. > Just speculation then. But still worth keeping in mind as something a > reseller could be doing. I can just see some programmer coming up > with this idea to workaround the problem of not having the private > key. ;-) I'm pretty sure I have seen this sort of practice, but I don't have any hard evidence and it may be another of the bad ideas that has died out as the market reforms. In terms of the larger topic of this thread, I don't think we're going to get very far putting pressure on CAs to fix resellers for reasons several people have already mentioned. We can however encourage three things that will help even though they can't overnight forbid undesirable retention of other people's keys: 1. Education. Let's make sure material from the Trust Store owners, from CAs, and from other entities we come into contact with describes processes that are secure by default, such as the use of CSRs. Got a document that skips the CSR "just for the example" ? Fix that, the same way you'd show a normal family wearing seatbelts in a car in a movie even though obviously for the movie they might be on a sound stage so the seatbelts do nothing. 2. Implementation. Software vendors including Trust Store owners (such as Microsoft and Apple) have an opportunity to "bake in" secure approaches. The easier it is to do things the safer way, the less likely users are to look for a shortcut from a reseller. Nobody is offering a key generation feature so as to make the sales journey more complicated and harder to use - if "just use a CSR" was the easy option, that's all resellers would offer. 3. Customer focused standards. Rather than try to push from the CAs, groups like PCI get to set demand, if the PCI compliance document explicitly says that your private keys mustn't come from somebody else then that's another reason somebody is going to get that right. I'm sure there are other appropriate groups that mandate SSL and could explicitly specify this as a requirement. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy