> If we can't trust Trustico (we can't), but they're able to issue Comodo certs, we really can't trust Comodo either.
I can't fault this logic, which is why I'm happy to tell you that this isn't how resellers work and hasn't been for many years. They can't "issue Comodo certs", they're just a middleman taking a cut.
A reseller isn't trusted by the CA at all in Web PKI terms. They handle some customer service stuff and (like an airline discounter) they allow the headline prices to stay high so that the "real" prices seem cheaper.
You don't need to trust Trustico at all, as a Relying Party you're depending on Comodo to do their job, independent of Trustico. If you are a Trustico customer, you needn't trust them beyond the fact that you'll be sending them money, and of course any outfit might take the money and run. If you're very naive and you allow Trustico to have your private key (an arrangement Comodo told them to stop when it signed them up as a reseller) then they have your private key. So, never do that, not with Trustico, not with Comodo, not with anybody. The entire point of a private key is that it's private, we can't make it any clearer than that.
I can't fault this logic, which is why I'm happy to tell you that this isn't how resellers work and hasn't been for many years. They can't "issue Comodo certs", they're just a middleman taking a cut.
A reseller isn't trusted by the CA at all in Web PKI terms. They handle some customer service stuff and (like an airline discounter) they allow the headline prices to stay high so that the "real" prices seem cheaper.
You don't need to trust Trustico at all, as a Relying Party you're depending on Comodo to do their job, independent of Trustico. If you are a Trustico customer, you needn't trust them beyond the fact that you'll be sending them money, and of course any outfit might take the money and run. If you're very naive and you allow Trustico to have your private key (an arrangement Comodo told them to stop when it signed them up as a reseller) then they have your private key. So, never do that, not with Trustico, not with Comodo, not with anybody. The entire point of a private key is that it's private, we can't make it any clearer than that.