Not sure what is more shocking:

A CA having 23k private keys of their customer's certs and the CEO emailing them:

A CA having a website which allows RCE as root, from a website input:

I'm just speechless.

@dethos trustico was not a ca

They were a reseller.

They generated the CSRs and private keys for their customers on their web server.

@gme You are right, my mistake. Nevertheless, in practice they provide the certificates to their customers and are an important part of their customers security setup. So I still think it was a disaster.

@dethos These days? Neither. I'd call it par for the course.

@dethos the users that believe on Web of Trust, and a third party.
RFC 7671 weeps at non-adoption.
Sign in to participate in the conversation
Social feed

This is a personal and private instance.