DIGICERT has announced plans to revoke more than 23,000 digital certificates resold by UK company Trustico following allegations of a serious "security incident" at the company.
According to DigiCert vice president Jeremy Rowley, Trustico requested the revocation at the beginning of February citing a breach, but then emailed DigiCert all of the private keys of its customers' certificates - which it should never have had.
DigiCert responded by mass-revoking all 23,000 certificates this week on the grounds that Trustico should never have stored its customer's private keys in the first place.
"On February 2nd, 2018, we received a request from Trustico to mass revoke all certificates that had been ordered by end users through Trustico," wrote Rowley in an extraordinary online security posting.
"Unfortunately, the email was not sent to the appropriate certificate problem reporting channels and did not surface immediately so we're delayed in sharing the concerns and information."
DigiCert could not revoke the keys without evidence of compromise consistent with the rules, or the consent of the certificate holders.
"The company shared with us that they held the private keys and the certificates were compromised, trying to trigger the BR's [baseline requirement's] 24-hour revocation requirement. However, we insisted that the subscriber must confirm the revocation request or there must be evidence of the private-key compromise," Rowley continued.
"On 2/27/2018, at my request for proof of compromise, we received a file with 23,000 private keys matched to specific Trustico customers. This definitely triggered our 24-hour revocation processing requirement...
"Once we received the keys, we confirmed that these were indeed the matching private keys for the reported certificates," he wrote, adding: "At this time, Trustico has not provided any information about how these certificates were compromised or how they acquired the private keys. As is standard practice for a certificate authority, DigiCert never had possession of these private keys."
Trustico responded with a statement on its website in a bid to justify its actions.
It claims that it is engaged in a revocation and replacement of Symantec digital certificates - Symantec sold its digital certificate business to DigiCert following a series of scandals that saw it become "distrusted" by major browser makers.
"We had been in contact with DigiCert several times over the past week to inform them that we no longer authorised them to hold our active SSL certificates on their platform," according to the Trustico statement.
"We believe the orders placed via our Symantec account were at risk and were poorly managed. In good conscience we decided it wasn't ideal to have any active SSL certificates on the Symantec systems, nor any that didn't meet our stringent security requirements.
"Our concerns also relate to the upcoming distrust of all Symantec SSL certificate brands within Google Chrome...
"At no time did we believe that we had compromised any private keys, though at the request of DigiCert we provided the private keys to them in order to facilitate a revocation request," claimed the company, admitting by implication that it held on to customers' private SSL keys.
Trustico have some big customers, eg Equifax, so this is going to have some interesting implications.— Kevin Beaumont (@GossiTheDog) 28 February 2018
It concluded: "Unfortunately things didn't go very well for us today and we are extremely sorry for all the confusion and inconvenience that has been caused. We believed that we had acted in accordance with the agreements and information that both DigiCert and Symantec® had imposed and provided upon us."
Security expert Kevin Beaumont pointed the finger of blame unambiguously at Trustico, claiming that it should not have the private keys at all, for any reason. He also suggested that these keys had been held by Trustico unencrypted.
He also pointed out on Twitter that Trustico has some major customers who will no doubt be concerned - including Equifax, which was cracked in a devastating attack last year, and a major international bank. µ
Breach occurred in 2016 but took two years to travel into Orbitz's view
Company even manages to make social engineering duller than it already is
Work on the 'specialist' facility is set to begin 'within weeks'
Weibo leak claims upcoming flagship will go on sale for $749