Yes, correct. Due to root inclusion problem, WoSign root is cross signed by StartCom since 2011. And we shared some facility with StartCom like CRL and OCSP distribution etc. But not this case, as I declared in the previous email, this is a API parameter option that can post data to any server located in any place.
Best Regards, Richard -----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, August 25, 2016 12:45 AM To: Gervase Markham <g...@mozilla.org> Cc: Jeremy Rowley <jeremy.row...@digicert.com>; mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote: > On 24/08/16 17:12, Jeremy Rowley wrote: >> On incident 2, it sounds like they are both using the same >> auto-generation script. > > It seems like a bit more than that, doesn't it? Let's presume that > WoSign did not ship a copy of their intermediate cert's private key to > StartCom. Therefore, this cert must have been issued on the back end > by some sort of WoSign system. So either WoSign's back-end issuing > service has some form of authentication and the StartCom system had > those credentials (why?), or the WoSign system does not have any form > of authentication (concerning). I think you are missing the most likely option: CA hosting. My understanding is that it is not uncommon that one CA operator contracts with another CA operator to run a CA on behalf of the first operator. I don't think it has been clear what disclosure of this practice is required. Given that I believe this is widespread, I assumed that all of the issuing CAs in this case were operated by the same entity. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy