
Statement in Regard to DigiCert Revocation and Symantec Distrust - Neil44
https://www.trustico.com/news/2018/digicert-symantec-statement/set-the-record-straight.php
======
gregmac
> As the only party other than Trustico® with access to the serial numbers for
> each certificate, only DigiCert® was able to undertake a match of the keys
> provided to issued certificates (by reference to serial numbers). Trustico®
> believes there were no security concerns for customers in what it did.
> Providing the private key and serial number would have been a security
> concern; the provision of one but not the other did not present a risk;

Uhm.. what??

Leaving aside the "it's okay we compromised the PRIVATE key because.." bit of
this, is there something I'm missing here? You can extract the public key and
fingerprint from a private key, so ... it's trivial to match based on that,
right? Is there any merit to this statement whatsoever?

~~~
hamburglar
You are correct, it's very easy to check to see if a private key matches a
cert:

    
    
      $ openssl x509 -pubkey -noout -in cert.pem | openssl rsa -pubin -outform der | openssl sha1
      writing RSA key
      (stdin)= 92635f3403046f4d7d0e0b40829dc24b0370478d
      $ openssl rsa -in key.pem -pubout -outform der | openssl sha1
      writing RSA key
      (stdin)= 92635f3403046f4d7d0e0b40829dc24b0370478d

