Trustico director Zane Lucas has issued a lengthy statement regarding the recent issue where 23,000 certificates were revoked.
Lucas claimed that Trustico “is suffering significantly as a result of the misrepresentation of the position” and is considering its position legally with respect to these issues and others in an effort to set the record straight “as it considers itself to have been unfairly and wrongly maligned.”
He claimed that Trustico was fully permitted under the terms of the Symantec subscriber agreement to take action to revoke certificates on customers’ behalf, and after DigiCert refused to revoke – stating that they would only do so by either performing a verification of control over the domain or receiving the private keys associated with the certificate – Trustico expressed to DigiCert its “significant discomfort with handing over the private keys to the certificates” as private keys are held by Trustico in trust, and so are secure.
Given its concerns, Trustico, acting in what it considered to be the best interests of its customers, selected to disclose the private keys so that DigiCert would perform a revocation as they were refusing to do so otherwise.
In an eight-point clarification, Lucas said that DigiCert knew that Trustico held (in trust) private keys of certain customers as a private key generating tool “has been a popular product offering for customers” and was developed in partnership with Symantec.
He added: “Trustico never deliberately exposed private keys. The revocation request was made in accordance with the Baseline Requirements and private keys were only provided under protest following DigiCert’s request for authentication purposes. Trustico intentionally provided private keys in a format which did not create risk to its customers.”
Lucas also said that notice was given to customers about revoking the certificates, but some notices ended up in junk mailboxes or rejected by hosts, and all affected customers were issued with a number of previous communications regarding the distrust issue.
“As the only party other than Trustico with access to the serial numbers for each certificate, only DigiCert was able to undertake a match of the keys provided to issued certificates (by reference to serial numbers),” Lucas said.
“Trustico believes there were no security concerns for customers in what it did. Providing the private key and serial number would have been a security concern; the provision of one but not the other did not present a risk.”
In the original story, the certificates issued by Trustico acting as a SSL certificate authority (CA) reseller for Symantec were revoked earlier this year after DigiCert chief product officer Jeremy Rowley said that Trustico “shared with us that they held the private keys and the certificates were compromised, trying to trigger the Baseline Requirement's 24-hour revocation requirement.”
At the time, Rowley said that Trustico had not provided any information about how certificates had been compromised, or how they acquired the private keys. “As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys.” He clarified that certificates were only revoked if the private keys were received.
In clarification, Trustico said that “private keys were only generated at our customers request through the private key generating tool; this service was optional” and that all data was stored “in accordance with its obligations under data protection law and company policy.”