Follow

So get this: the CEO of a Certificate Authority, which control the lock icon of your browser, sent >20k private keys via email, unencrypted. How hard can you show your incompetence and make clear that you had no place running that business in the first place?!?

digicert.com/blog/digicert-sta

@Kensan I get the feeling they just did that to force the certs to be revoked

@Kensan This thread has some good links going beyond their official statement, giving some context to the whole thing:
mstdn.io/@jomo/996042805772316

@Nuntius How were they ever in a position to issue certificates?

@Kensan I don't know, it's just unbelievably horrifying. It's a few hours after I learned about it, and I'm not even one of their clients, but I'm stilled stunned by such amateurism 😳🤯

@Nuntius Well I am sure this is just one instance where it became an incident and we learn about it...

@Kensan This mozilla.dev.security.policy thread is fun reading: groups.google.com/forum/m/#!ms

especially the bit where the Trustico CEO gets all defensive and blustery and threatens legal action for... what, for Digicert complying with their request?

@Kensan Just a note. Trustico isn't a CA, but just a reseller. (They should also know better, but they cannot issue certificates, AFAIK)

@Kensan the CA system, along with DNS, is a total fucking scam

Sign in to participate in the conversation
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!