On 24/08/16 17:44, Peter Bowen wrote: > I think you are missing the most likely option: CA hosting. My > understanding is that it is not uncommon that one CA operator > contracts with another CA operator to run a CA on behalf of the first > operator. I don't think it has been clear what disclosure of this > practice is required. Given that I believe this is widespread, I > assumed that all of the issuing CAs in this case were operated by the > same entity.
If StartCom are hosting WoSign's infra (seems less likely), then it's still a pretty severe mistake to accidentally issue a certificate from one of your customer's roots rather than your own, although one might say the mistake in this case would be StartCom's. If WoSign are hosting StartCom's infra, it still leaves open the question of why StartCom are deploying code that WoSign are no longer using, and haven't for six months, and why WoSign permitted the StartCom UI to issue WoSign certificates at all. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
