**Sadiq** @staticsafe@mastodon.zombocloud.com · 01 mar. 2018, 17:11

**Sadiq** @staticsafe@mastodon.zombocloud.com · 01 mar. 2018, 17:11

Sadiq @staticsafe@mastodon.zombocloud.com

the more I read about this Trustico incident, the more absurd it gets

what the actual fuck

https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/

#infosec

**Sadiq** @staticsafe@mastodon.zombocloud.com · 01 mar. 2018, 17:17

**Sadiq** @staticsafe@mastodon.zombocloud.com · 01 mar. 2018, 17:17

its called a *private* key for a reason

don't let the certificate authority generate it for you and/or give it to the certificate authority

the only thing you are supposed to give to the certificate authority is the certificate signature request (CSR) and they give you the certificate after the validation process

#infosec

**S. Bortzmeyer ✅** @bortzmeyer · 01 mar. 2018, 17:19

**S. Bortzmeyer ✅** @bortzmeyer · 01 mar. 2018, 17:19

@staticsafe It should be noted that #Trustico ads were framing this as an advantage (green checkmark) "no need to send a CSR"

**S. Bortzmeyer ✅** @bortzmeyer · 2018-03-01T17:22:55Z

S. Bortzmeyer ✅ @bortzmeyer

@staticsafe And, to play devil's advocate, there are probably some users that would manage their private keys even more badly than #Trustico did.

Ping @aeris @Keltounet

01 mar. 2018, 17:22 · Web · 0 · 1