2 comments

[ 4.1 ms ] story [ 20.8 ms ] thread
> As the only party other than Trustico® with access to the serial numbers for each certificate, only DigiCert® was able to undertake a match of the keys provided to issued certificates (by reference to serial numbers). Trustico® believes there were no security concerns for customers in what it did. Providing the private key and serial number would have been a security concern; the provision of one but not the other did not present a risk;

Uhm.. what??

Leaving aside the "it's okay we compromised the PRIVATE key because.." bit of this, is there something I'm missing here? You can extract the public key and fingerprint from a private key, so ... it's trivial to match based on that, right? Is there any merit to this statement whatsoever?

You are correct, it's very easy to check to see if a private key matches a cert:

  $ openssl x509 -pubkey -noout -in cert.pem | openssl rsa -pubin -outform der | openssl sha1
  writing RSA key
  (stdin)= 92635f3403046f4d7d0e0b40829dc24b0370478d
  $ openssl rsa -in key.pem -pubout -outform der | openssl sha1
  writing RSA key
  (stdin)= 92635f3403046f4d7d0e0b40829dc24b0370478d