> As the only party other than Trustico® with access to the serial numbers for each certificate, only DigiCert® was able to undertake a match of the keys provided to issued certificates (by reference to serial numbers). Trustico® believes there were no security concerns for customers in what it did. Providing the private key and serial number would have been a security concern; the provision of one but not the other did not present a risk;
Uhm.. what??
Leaving aside the "it's okay we compromised the PRIVATE key because.." bit of this, is there something I'm missing here? You can extract the public key and fingerprint from a private key, so ... it's trivial to match based on that, right? Is there any merit to this statement whatsoever?
2 comments
[ 4.1 ms ] story [ 20.8 ms ] threadUhm.. what??
Leaving aside the "it's okay we compromised the PRIVATE key because.." bit of this, is there something I'm missing here? You can extract the public key and fingerprint from a private key, so ... it's trivial to match based on that, right? Is there any merit to this statement whatsoever?