The HSM is stored offline, in the Vault of Qihoo 360’s head quarter, a little bit surprised by this question, I don’t know if there other CAs put their Root Certificates online? If anybody have evident to say “Wosign have the private key of StartCom”, please show us here.
Thanks, Xiaosheng Tan 在 2016/10/13 上午6:49,“dev-security-policy 代表 Percy”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 [email protected]> 写入: On Monday, October 10, 2016 at 2:16:53 PM UTC-7, Matt Palmer wrote: > On Mon, Oct 10, 2016 at 10:33:15AM -0700, Nick Lamb wrote: > > Would anybody here _seriously_ be shocked to read next month that a black > > hat group is auctioning some StartCom private keys ? On the evidence > > available we have to assume that the keys underpinning both WoSign and > > StartCom may turn out to be compromised, > > Say what-now? I don't recall anything that suggested private key > *compromise*. The need to roll the keys, from what I can see, is because > the existing chains have done "things" that are shady, and we can never be > sure there isn't more shady things lurking in the shadows. Hence, we > distrust the keys entirely to prevent any of the old shady from leaping out > in a year's time and laying waste to the landscape once again. > > - Matt " PKI – signing service > Code: Same code with WoSign’s one. > Server: Shared Server. > Location: The primary one is hosted in Qihoo 360 head quarter’s data center in Beijing since Dec 2015, there is a backup server in Wosign’s office in Shenzhen. > Business Process: Same " As Jakob said, WoSign might have StartCom's private key. Xiaosheng Tan, perhaps you can clarify what the backup server process and whether HSM is "backed up" as well. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
