On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 24/08/16 17:12, Jeremy Rowley wrote:
>> On incident 2, it sounds like they are both using the same
>> auto-generation script.
> It seems like a bit more than that, doesn't it? Let's presume that
> WoSign did not ship a copy of their intermediate cert's private key to
> StartCom. Therefore, this cert must have been issued on the back end by
> some sort of WoSign system. So either WoSign's back-end issuing service
> has some form of authentication and the StartCom system had those
> credentials (why?), or the WoSign system does not have any form of
> authentication (concerning).

I think you are missing the most likely option: CA hosting.  My
understanding is that it is not uncommon that one CA operator
contracts with another CA operator to run a CA on behalf of the first
operator.  I don't think it has been clear what disclosure of this
practice is required.  Given that I believe this is widespread, I
assumed that all of the issuing CAs in this case were operated by the
same entity.

dev-security-policy mailing list

Reply via email to