Yeah, their entire website is designed and implemented by someone in China. See my analysis here http://www.percya.com/2016/09/startcom-operated-solely-in-china.html
On Thursday, August 25, 2016 at 10:11:21 AM UTC-7, rugk wrote: > Hi, > I stumbled across this service by StartCom: > https://startssl.com/StartPKI (archive link: https://archive.is/GRkAK) > I got a bit afraid when looking at their nice screenshots > (https://archive.is/GRkAK#75%), because they offer intermediate > certificates for companies allowing them to issue certificates by > themself. > > So I checked their site to find out what this is about. > The certs are "Trusted by all browsers" > (https://archive.is/GRkAK#selection-419.0-419.23). > So I thought in this case they (StartCom) need to control the process, > especially as they allow EV certs to be issued. > However here is what they state on their website: "StartPKI, let you > control your SSL certificate life cycle management by yourself, not by > the CA!" (https://archive.is/GRkAK#selection-517.0-517.96) > This does rather sound as if the company would have a web interface > where they can issue certificates like they want... > > So I thought they at least keep the private key on their servers/HSMs. > However they mention "FIPS 140 Luna G5 HSM Secured" under "Setup your > name issuing CA" (https://archive.is/GRkAK#selection-619.0-631.24), so > does this indicate the companies have to setup a HSM? If so, for what if > it is not the private key of the intermediate? > On the other hand they say it you need no "No PKI infrastructure > Investment" (https://archive.is/GRkAK#selection-449.0-449.32), but the > "All controlled by yourself" > (https://archive.is/GRkAK#selection-673.0-673.26) is not a very > appeasing statement when it comes to who can issue certificates. > Also they say you can "Issue certificates instantly" > (https://archive.is/GRkAK#selection-425.0-425.28) (for free) I am > wondering how this can work for EV certificates. > > On their news page (https://startssl.com/NewsDetails?date=20160428) they > say the intermediate CA is "for the exclusive use of the verified > organization". But how can they enforce this? > At least they say that "the intermediate CA will be provided by > StartCom's [...] infrastructure", so it seems they keep the intermediate > themself. > > So at least they keep the private key. However this still does not > answer the question how they control the certificates issued by this > intermediate - especially when it comes to EV certificates. > It is also unclear what kind of verification is made when a company > issues a certificate with their own intermediate. > > Also note that there is a difference to StartResell. On their hompage > (https://startssl.com/NewsDetails?date=20160530) they also state, that > resellers have their own intermediate certificate. > However there they seem to do the verification by themself and "charge > the end user identity validation". This obviously does not happen for > StartPKI... > As StartPKI is "Ready to use in 3 days" > (https://archive.is/GRkAK#selection-413.0-413.22) I doubt that they can > trust all companies they issue intermediates for to do sane > verification. > > The service is all in all quite questionable and statements like "All > controlled by yourself" are horrible to hear. I hope this statement is > just wrong and they somehow keep control. > > Best regards, > rugk > > -- > I offer PGP support. To send me a PGP-encrypted mail, please ask for my > private mail address. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
