An Important Statement From Trustico®
There has been considerable public comment concerning Trustico® and DigiCert® over the past weeks. Trustico® has already provided some input in response to specific issues in that debate but would like to take this opportunity to ‘set the record straight’ as it considers itself to have been unfairly and wrongly maligned.
Trustico® has through itself and its predecessor companies been a reseller of SSL certificates for nearly 15 years. Trustico® prides itself on its quality of service, its relationships with its customers and its desire to protect their best interests. In the course of that long trading history, Trustico® has worked closely alongside Symantec® as a reseller of its SSL certificates throughout that time.
In early 2017, Google announced the forthcoming distrust of all Symantec® SSL Certificate brands on Google Chrome. In late-2017, Symantec® sold its SSL Certificate business to DigiCert®. From the time of the Google announcement, through the change of control of the Symantec® SSL business, Trustico® has been working hard on behalf of its customers to establish from Symantec®/ DigiCert® a full understanding of the Google distrust issues. This information has not been forthcoming which, resulted in Trustico® announcing to DigiCert® in February 2018 that it was contemplating ending its relationship to sell Symantec® SSL Certificates.
In response, DigiCert® gave the required notice (as the agreement permitted it to) to bring to an end the reseller agreement with Trustico®. Realising that the requested full clarification of the Google distrust issues was not now ever going to be forthcoming, Trustico® (acting in the best interests of its customers) took steps to protect its customers from what it considered to be unsafe certificates.
Trustico® is and was fully permitted under the terms of the Symantec® subscriber agreement to take action to revoke certificates on customers’ behalf. However, despite DigiCert®’s attention being drawn to the express provisions of the subscriber agreement that entitle Trustico® to take such action, DigiCert® refused to revoke stating that they would only do so by either performing a verification of control over the domain or receiving the private keys associated with the certificate.
Trustico® expressed to DigiCert® significant discomfort with handing over the private keys to the certificates. Private keys are held by Trustico® in ‘trust’ and so are secure (being kept in offline cold storage). Given the above concerns, Trustico®, acting in what it considered to be the best interests of its customers, elected to disclose the private keys so that DigiCert® would perform a revocation as they were refusing to do so otherwise.
Trustico®’s desire to take action in the genuine best interests of its customer base by procuring revocation of certificates in the manner requested by DigiCert® has led to confusion and misinformation being presented to the outside world as follows:
- Despite representations by DigiCert® since to the contrary, DigiCert® knew that Trustico® held (in trust) private keys of certain customers. A private key generating tool which saw Trustico® holding the private key on behalf of customers (in trust) has been a popular product offering for customers. It is a system developed with both the knowledge and support of Symantec®;
- Some customers have asked us why we were storing private keys and whether they gave us permission to do so. Private keys were only generated at our customers request through the private key generating tool; this service was optional. Trustico® store all data in accordance with its obligations under data protection law and company policy. Customers are offered the opportunity to delete their key during a 21 day period after which it is moved to cold (offline) storage;
- Trustico® did not seek revocation of the certificates on the basis that private keys had been compromised under 4.9.1.1(1) or 4.9.1.1(3) of the Baseline Requirements but rather that the certificates were issued contrary to 4.9.1.1(9) and/or 4.9.1.1(15). This is that either the CA was made aware the a certificate was not issued in line with the Baseline Requirements or the technical content or format of the certificate presents an unacceptable risk to application software suppliers or relying parties;
- Trustico® never deliberately exposed private keys. The revocation request was made in accordance with the Baseline Requirements and private keys were only provided under protest following DigiCert®’s request for authentication purposes. Trustico® intentionally provided private keys in a format which did not create risk to its customers;
- Notice was given to customers of our intention to revoke the certificates. It would appear that for many customers, either that notice was delivered to their junk mailbox, it was (for reasons outside our control) rejected by the host or not read. Trustico® has also issued all affected customers a number of previous communications regarding the distrust issue and notifying them to switch their product to a fully trusted certificate to avoid issues;
- As the only party other than Trustico® with access to the serial numbers for each certificate, only DigiCert® was able to undertake a match of the keys provided to issued certificates (by reference to serial numbers). Trustico® believes there were no security concerns for customers in what it did. Providing the private key and serial number would have been a security concern; the provision of one but not the other did not present a risk;
- No personal data was compromised in the subsequent hack on the Trustico® website. This hack related to a testing tool webserver unconnected to any server and/or database that contained personal data;
- DigiCert® has stated publicly that 23,000 certificates have been revoked; Trustico® only provided 19,950 private keys.
Trustico® has and is suffering significantly as a result of the misrepresentation of the position and, as you will appreciate, is considering its position legally with respect to these issues and others. Whilst Trustico® accepts that it could have done certain things better since the revocation request (and has held its hands up in that regard), its actions have all been legitimate both in terms of contractual arrangements and to best protect the interests of its longstanding customer base.
Replacement orders are available from alternative CAs to all affected customers at no cost. Trustico® is continuing to work with all its customers to ensure they are have a working and trusted SSL certificate.
Zane Lucas
Trustico® by Red 16, Inc.
Director