> I'd postulate there's > nothing wrong with Trustico holding the private keys if they were hosting > the site or providing CDN services for all of these sites.
I manage one of the affected domains. I can tell that in no way does Trustico hosts the site, nor provide us any CDN service. We just purchased them a certificate 4 years ago and renewed it for 3 years in april 2015. Since we are usually quite busy we simply used their form to generate the key, the CSR, and get the certificate... So, Trustico should be actually Dontrustico. The worst is that the CEO himself publicly said (here!) that they HELD OUR PRIVATE KEYS!!! Come on. M. Zane Lucas, your staff sent me (after I asked them from an explanation regarding the Digicert's first email) a coupon for a "Trustico(r) Single Site" certificate, would you expect me to trust it after what YOU disclosed here? Looks like you just cut the branch your company was sitting on. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy