> I don’t want to imagine how and where they might be keeping their root CA private key material.
The handling of key material is supposed to be checked as a part of the (required) yearly audits, which they have passed[1,2] (though the single auditor they’ve always used “does not audit any other publicly-trusted CAs”[3]). The links are in the Common CA Database (CCADB) [4], but it seems really hard to find a good publicly-accessible report page (I still haven’t found the older audits, for example).
ETA: For TrustCor specifically, Kathleen Wilson (responsible for the Mozilla root store) has collected the audit reports on Bugzilla[5].
The handling of key material is supposed to be checked as a part of the (required) yearly audits, which they have passed[1,2] (though the single auditor they’ve always used “does not audit any other publicly-trusted CAs”[3]). The links are in the Common CA Database (CCADB) [4], but it seems really hard to find a good publicly-accessible report page (I still haven’t found the older audits, for example).
ETA: For TrustCor specifically, Kathleen Wilson (responsible for the Mozilla root store) has collected the audit reports on Bugzilla[5].
[1] https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?at...
[2] https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?at...
[3] https://groups.google.com/a/mozilla.org/g/dev-security-polic...
[4] https://ccadb-public.secure.force.com/mozilla/IncludedCACert...
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1801504