On Monday, October 10, 2016 at 2:16:53 PM UTC-7, Matt Palmer wrote:
> On Mon, Oct 10, 2016 at 10:33:15AM -0700, Nick Lamb wrote:
> > Would anybody here _seriously_ be shocked to read next month that a black
> > hat group is auctioning some StartCom private keys ?  On the evidence
> > available we have to assume that the keys underpinning both WoSign and
> > StartCom may turn out to be compromised,
> Say what-now?  I don't recall anything that suggested private key
> *compromise*.  The need to roll the keys, from what I can see, is because
> the existing chains have done "things" that are shady, and we can never be
> sure there isn't more shady things lurking in the shadows.  Hence, we
> distrust the keys entirely to prevent any of the old shady from leaping out
> in a year's time and laying waste to the landscape once again.
> - Matt

" PKI – signing service 
>    Code: Same code with WoSign’s one. 
>    Server: Shared Server. 
>    Location: The primary one is hosted in Qihoo 360 head quarter’s data 
> center in Beijing since Dec 2015, there is a backup server in Wosign’s office 
> in Shenzhen. 
>    Business Process: Same 
As Jakob said, WoSign might have StartCom's private key. Xiaosheng Tan, perhaps 
you can clarify what the backup server process and whether HSM is "backed up" 
as well. 

dev-security-policy mailing list

Reply via email to