The HSM is stored offline, in the Vault of Qihoo 360’s head quarter, a little 
bit surprised by this question, I don’t know if there other CAs put their Root 
Certificates online?
If anybody have evident to say “Wosign have the private key of StartCom”, 
please show us here.

Xiaosheng Tan

在 2016/10/13 上午6:49,“dev-security-policy 代表 
Percy”< 代表> 写入:

    On Monday, October 10, 2016 at 2:16:53 PM UTC-7, Matt Palmer wrote:
    > On Mon, Oct 10, 2016 at 10:33:15AM -0700, Nick Lamb wrote:
    > > Would anybody here _seriously_ be shocked to read next month that a 
    > > hat group is auctioning some StartCom private keys ?  On the evidence
    > > available we have to assume that the keys underpinning both WoSign and
    > > StartCom may turn out to be compromised,
    > Say what-now?  I don't recall anything that suggested private key
    > *compromise*.  The need to roll the keys, from what I can see, is because
    > the existing chains have done "things" that are shady, and we can never be
    > sure there isn't more shady things lurking in the shadows.  Hence, we
    > distrust the keys entirely to prevent any of the old shady from leaping 
    > in a year's time and laying waste to the landscape once again.
    > - Matt
    " PKI – signing service 
    >    Code: Same code with WoSign’s one. 
    >    Server: Shared Server. 
    >    Location: The primary one is hosted in Qihoo 360 head quarter’s data 
center in Beijing since Dec 2015, there is a backup server in Wosign’s office 
in Shenzhen. 
    >    Business Process: Same 
    As Jakob said, WoSign might have StartCom's private key. Xiaosheng Tan, 
perhaps you can clarify what the backup server process and whether HSM is 
"backed up" as well. 
    dev-security-policy mailing list

dev-security-policy mailing list

Reply via email to