[jvehent]

This would actually be a problem.... if the private key was good for anything. Certigna's response says it is not:

"Certigna has issued a response claiming that the file represented a 'test' certificate that had long since expired. "The private key available on the server corresponds to a test certificate used on our website certigna.fr," the company claimed. "It is impossible to generate new valid user certificates from this key. Moreover, it is encrypted and is an SSL certificate expired since July 2010. This key does not affect our infrastructure security. The Certigna SSL authority’s private key is stored in HSM (Hardware Security Module) and hence can never be recovered. This useless file has been removed."

[ordinary]

Just some sensationalist reporting without proper fact-checking, then. Again.

[JoeAltmaier]

Somebody stole a key from a Certificate authority server? Sensationalist? yeah, sounds pretty sensational.

"They only stole junk from my house. So Your stuff is safe, somehow"

Anyway, they Did fact-check - and the company didn't respond. So they reported what appeared to be a significant breach. Then, when the company responded, they reported that too. Which has a name, which is "Responsible Journalism"

[jerf]

Beware of metaphors when trying to understand computer issues. What happened (assuming this is the truth) is that a useless key was left on a public server in a public directory, and it could be downloaded by anybody, at which point it is useless. There is no helpful physical analogue to this situation. Just understand it as it is directly, it's not that complicated.

Your metaphor clouds the issue, it does not bring understanding. "Breaking in" to a computer network doesn't give you access to a "whole house", and what occurred wasn't a break in, there's no part of that metaphor that actually helps you understand the situation.

At best this shows a bit of carelessness, but then, a useless, expired key doesn't necessarily require much care in handling, either. The only damage here is PR, if what the company says is true.

[slavak]

Except the key is apparently worthless, and thus it makes sense nobody was very particular about securing it properly. More like "They only stole the old bicycle I left unlocked in my front yard."

Making sure that the leaked private key matches the CA's public key isn't particularly difficult. This is still poor fact checking - company's response, or lack thereof, notwithstanding.

[smackfu]

I don't think it's a good analogy. You have procedures for protecting sensitive data. This was not sensitive data, even if it appeared to be to a naive viewer, so the procedures were not followed. This does not imply anything about the security of sensitive data.