As I explained, we use same script using API, different parameter point to 
different API post URL for different CA, no any PKI hosting related.



> On 29 Aug 2016, at 16:25, Gervase Markham <> wrote:
>> On 24/08/16 17:44, Peter Bowen wrote:
>> I think you are missing the most likely option: CA hosting.  My
>> understanding is that it is not uncommon that one CA operator
>> contracts with another CA operator to run a CA on behalf of the first
>> operator.  I don't think it has been clear what disclosure of this
>> practice is required.  Given that I believe this is widespread, I
>> assumed that all of the issuing CAs in this case were operated by the
>> same entity.
> If StartCom are hosting WoSign's infra (seems less likely), then it's
> still a pretty severe mistake to accidentally issue a certificate from
> one of your customer's roots rather than your own, although one might
> say the mistake in this case would be StartCom's.
> If WoSign are hosting StartCom's infra, it still leaves open the
> question of why StartCom are deploying code that WoSign are no longer
> using, and haven't for six months, and why WoSign permitted the StartCom
> UI to issue WoSign certificates at all.
> Gerv

Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to