Le dimanche 4 mars 2018 22:06:23 UTC+1, Eric Mill a écrit : > Last week, Trustico (a reseller, formerly for Symantec and now for Comodo) > sent 23,000 private keys to DigiCert, to force their revocation. This > showed that Trustico had been storing customer keys generated through one > or more CSR/key generation forms on their website. > > Though Trustico disagrees, this appears to be a clear case of routine key > compromise for subscribers who obtained their key from Trustico. The > security of Trustico's systems, which are not audited or accountable to > root program requirements, were storing large amounts of key material whose > compromise could have led to the subsequent compromise of connections to > tens of thousands of online services. > > It was also noted that Trustico was exposing key material to interception > by a number of third parties through client-side JavaScript embeds, and > that Trustico's website had functionality that allowed remote code > execution as root on one of their web servers. > > These m.d.s.p threads document/link to those things: > > * > https://groups.google.com/d/topic/mozilla.dev.security.policy/wxX4Yv0E3Mk/discussion > * > https://groups.google.com/d/topic/mozilla.dev.security.policy/BLvabFwcJqo/discussion > > As part of the second thread, Comodo noted: > > We also asked Trustico to cease offering any tools to generate and/or > retain customer private keys. They have complied with this request and > have confirmed that they do not intend to offer any such tools again in the > future. > > > That is good to hear, but a "we won't do it again" response, if accepted by > Comodo as sufficient, seems disproportionate to the severity of the issue, > given Trustico's unfamiliarity with norms around private key management, > and with basic security practices. > > It's also clear from the experience that rules of the road for resellers > are unclear, and that accountability is limited. It seems possible, or > likely, that other resellers may also be mishandling customer keys > > So, what would useful next steps be to improve security and accountability > for resellers? > > One thought: Mozilla could ask CAs to obtain a written response from all > contracted resellers about if/how they interact with customer key material, > including the level of isolation/security given their key generation > environment (if they have one), and whether any third-party JavaScript is > given access to generated key material. > > Any other ideas? > > Also -- Comodo noted: > > Trustico have also confirmed to us that they were not, and are not, in > possession of the private keys that correspond to any of the certificates > that they have requested for their customers through Comodo CA. > > > Since there appears to have been a significant overlap period, between the > time Trustico switched to Comodo and when Trustico was asked by Comodo to > cease key storage practices, it's a little hard to take at face value the > assurance that Trustico was never in possession of any Comodo keys. It > would be nice to hear something from Comodo about whether they've verified > this in any more detail. > > -- Eric > > -- > konklone.com | @konklone <https://twitter.com/konklone>
It is essential to have the reseller contract draft presented as well as to check the procedures followed by the reseller in order to provide a reliable and standards compliant service. And also, I would like to know how COMODO had the confirmation that Trustico will no longer produce this kind of act in the future. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy