Hacker News new | past | comments | ask | show | jobs | submit login

I don't understand why they'd need the Private Keys for revocation. Isn't one of the reasons to revoke because you've lost the private key?



You don't need the private keys for revocation, and you're right that compromise of the private key is one of the best reasons to revoke a cert.

I can't figure out why the Trustico CEO emailed the private keys to DigiCert. It doesn't make sense.


The Trustico CEO intentionally compromised the private keys to force DigiCert to revoke the certificates. DigiCert wouldn't do this otherwise on his request; it's the actual owner of the certificate who needs to request revocation.


I meant I don't get why he would want to do that. Why insist that all of his customers' keys be revoked? Why intentionally compromise the keys to make that happen?

After reading more about it, though, I think it's less that it doesn't make sense and more that the person making these decisions is incompetent.


In fairness, all of those private keys were already compromised from the start. I have no clue why the CEO decided to take such harmful action to his own company, but one way or another all of those certificates needed to be reissued.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: