← Sectigo cases
Bugzilla #1699756
Technical Compliance
Sectigo: Reseller ZeroSSL and Private Key Generation
RESOLVED
INVALID
Sectigo
AI Summary
This case discusses the private key generation and storage practices of ZeroSSL, a reseller of Sectigo. Concerns were raised regarding whether ZeroSSL's method of generating and storing private keys complies with Mozilla's Root Store Policy. The discussion highlighted that private keys are generated client-side and encrypted before being sent to ZeroSSL's servers. However, questions about the security of this process and the implications of storing encrypted private keys were debated. Ultimately, the case was closed as invalid after it was determined that the processes in place do not expose private keys improperly.
Chronology
- Initial concerns raised about ZeroSSL's private key generation process.
- Further discussions on the security of ZeroSSL's practices.
- Case closed as invalid after review.
Participants
Ben Wilson
Tim Callan
David Spitzer
Matthias
External References
Similar Local Cases
Sectigo: Late termination of privileged access to Certificate Systems
Sectigo: CRL validity beyond CPS allowed value
E-Tugra: Forbidden Domain Validation Method 3.2.2.4.6
Google Trust Services: uses "DNSSec-mostly" and DTPs for DNS resolution
Sectigo: Lack of technical controls for multiparty control access to Secure Zone
Asseco DS / Certum: Forward dating certificates (notBefore in the future)
Telekom Security: Finding in 2020 ETSI-Audit regarding weekly review of changes to configurations
Firmaprofesional: 2022 - Title field