Risk & Repeat: Trustico certificate drama a cause for concern

Trustico's certificate revocation episode has raised more questions about practices in the SSL certificate market.

DigiCert Inc. last week announced it was forced to revoke 23,000 Symantec branded certificates because the private keys for those certificates had been exposed in an email from former reseller partner Trustico -- DigiCert acquired Symantec's certificate business last year.

According to DigiCert, Trustico requested revocation of the certificates because the reseller claimed the certificates had been compromised. After requesting evidence supporting the claim, DigiCert received an email from Trustico's CEO with the private keys of the certificates. Because the keys were exposed to unauthorized parties, DigiCert started the certificate revocation process and began replacing the certificates.

Trustico's statement, meanwhile, offered a different version of events. The reseller, which ceased to offer Symantec certificates earlier in February, claimed it no longer had confidence that Symantec systems were secure -- despite the fact that all Symantec certificates are now handled by DigiCert's own public key infrastructure.

Trustico also admitted that it routinely holds customers' certificate keys in cold storage. Experts say Trustico's certificate practices may violate the certificate industry's CA/Browser Forum Baseline Requirements.

Why did Trustico have the private keys for these certificates? Is the company a reseller or a subscriber? Why were major certificate authorities doing business with a reseller like this? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more on the Trustico certificate controversy in this episode of the Risk & Repeat podcast.