On Monday, October 10, 2016 at 2:16:53 PM UTC-7, Matt Palmer wrote:
> On Mon, Oct 10, 2016 at 10:33:15AM -0700, Nick Lamb wrote:
> > Would anybody here _seriously_ be shocked to read next month that a black
> > hat group is auctioning some StartCom private keys ? On the evidence
> > available we have to assume that the keys underpinning both WoSign and
> > StartCom may turn out to be compromised,
> Say what-now? I don't recall anything that suggested private key
> *compromise*. The need to roll the keys, from what I can see, is because
> the existing chains have done "things" that are shady, and we can never be
> sure there isn't more shady things lurking in the shadows. Hence, we
> distrust the keys entirely to prevent any of the old shady from leaping out
> in a year's time and laying waste to the landscape once again.
> - Matt
" PKI – signing service
> Code: Same code with WoSign’s one.
> Server: Shared Server.
> Location: The primary one is hosted in Qihoo 360 head quarter’s data
> center in Beijing since Dec 2015, there is a backup server in Wosign’s office
> in Shenzhen.
> Business Process: Same
As Jakob said, WoSign might have StartCom's private key. Xiaosheng Tan, perhaps
you can clarify what the backup server process and whether HSM is "backed up"
dev-security-policy mailing list