On 24/08/16 17:44, Peter Bowen wrote:
> I think you are missing the most likely option: CA hosting.  My
> understanding is that it is not uncommon that one CA operator
> contracts with another CA operator to run a CA on behalf of the first
> operator.  I don't think it has been clear what disclosure of this
> practice is required.  Given that I believe this is widespread, I
> assumed that all of the issuing CAs in this case were operated by the
> same entity.

If StartCom are hosting WoSign's infra (seems less likely), then it's
still a pretty severe mistake to accidentally issue a certificate from
one of your customer's roots rather than your own, although one might
say the mistake in this case would be StartCom's.

If WoSign are hosting StartCom's infra, it still leaves open the
question of why StartCom are deploying code that WoSign are no longer
using, and haven't for six months, and why WoSign permitted the StartCom
UI to issue WoSign certificates at all.


dev-security-policy mailing list

Reply via email to