Trustico now posted a statement on their site[1]. My favourite part is this:
> Trustico® followed the requests of DigiCert by initially recovering Private Keys from cold storage and subsequently e-mailing the associated order number and Private Keys to DigiCert in a ZIP file. The file did not contain any other type of data.
What a bizarre defense. Do they think this makes them look...better?
The core issue is 1) they had the keys at all 2) they decided to compromise them by emailing them DigiCert
Saying "hey, we did nothing wrong, all we did is email the keys we had to DigiCert" just isn't a very compelling defense to claims they had the keys and emailed them to DigiCert. More like a "total admission of guilt" than a defense, really.
The secondary part is that they requested mass revocation of active certificates, including from brands such as RapidSSL which were not being browser distrusted AFAIK (even though some others were.. if I need to be corrected on this please let me know).
They did this without notifying their customers in advance, so literally, they were going to intentionally screw their customers by revoking all their active SSL certificates without their authorisation and without any notice. Which then happened.
This would have affected ALL certificates, but since Digicert said no, they then pulled all of these generated private keys from storage which they should NOT have been storing -- on their reseller web interface when you generate a certificate (which is a questionable activity but lets just go with it for the argument).. a few days after you place the order the private key disappears from the web interface. You would therefor assume they deleted it. It seems they kept a copy of all of them this whole time - which is doubly irresponsible let alone stupid.
All I can say is thankfully LetsEncrypt is making these guys mostly irrelevant...
The good news is, as far as I know, they're only revoking the certificates that used the generator at least (though I haven't confirmed that) -- so hopefully most people that used a normal CSR certificate won't have them revoked.
Bunch of morons, I can't see why they thought this was a good idea, and as the commentator above said, this response doesn't sound better in any way. It just proves they are intentionally screwing their customers for no real reason. Even if they were intent on this distrust process, they should have at least been ensuring customers got new certificates first and had plenty of notice -- e.g. how the chrome distrust worked. They didn't.
> The secondary part is that they requested mass revocation of active certificates, including from brands such as RapidSSL which were not being browser distrusted AFAIK (even though some others were.. if I need to be corrected on this please let me know).
To my knowledge all CAs under Symantec's control, including RapidSSL, are affected[1], with only a handful of exceptions for cross-signed intermediates where Symantec was not under control of issuance. IIRC they belong to Apple and Google (and maybe a few others).
> Trustico® followed the requests of DigiCert by initially recovering Private Keys from cold storage and subsequently e-mailing the associated order number and Private Keys to DigiCert in a ZIP file. The file did not contain any other type of data.
[1]: https://www.trustico.com/news/2018/symantec-revocation/certi...