On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote: > On 24/08/16 17:12, Jeremy Rowley wrote: >> On incident 2, it sounds like they are both using the same >> auto-generation script. > > It seems like a bit more than that, doesn't it? Let's presume that > WoSign did not ship a copy of their intermediate cert's private key to > StartCom. Therefore, this cert must have been issued on the back end by > some sort of WoSign system. So either WoSign's back-end issuing service > has some form of authentication and the StartCom system had those > credentials (why?), or the WoSign system does not have any form of > authentication (concerning).
I think you are missing the most likely option: CA hosting. My understanding is that it is not uncommon that one CA operator contracts with another CA operator to run a CA on behalf of the first operator. I don't think it has been clear what disclosure of this practice is required. Given that I believe this is widespread, I assumed that all of the issuing CAs in this case were operated by the same entity. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy