On Mon, Oct 10, 2016 at 10:33:15AM -0700, Nick Lamb wrote: > Would anybody here _seriously_ be shocked to read next month that a black > hat group is auctioning some StartCom private keys ? On the evidence > available we have to assume that the keys underpinning both WoSign and > StartCom may turn out to be compromised,
Say what-now? I don't recall anything that suggested private key *compromise*. The need to roll the keys, from what I can see, is because the existing chains have done "things" that are shady, and we can never be sure there isn't more shady things lurking in the shadows. Hence, we distrust the keys entirely to prevent any of the old shady from leaping out in a year's time and laying waste to the landscape once again. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
