I checked customers on official site of Wosign https://www.wosign.com/
It seems wosign have 3 different certificate using same Key-pair(Have same public key) that is : 1,Certification Authority of WoSign as a subCA under Wosign 1999 example customer Url: https://person.guilinbank.com.cn/ 2,Certification Authority of WoSign as a subCA under StartCom Certification Authority example customer Url: https://login.dangdang.com/ 3,Certification Authority of WoSign as a Root CA The Root CA that have webtrust seal and used to apply for this certificate program https://bugzilla.mozilla.org/show_bug.cgi?id=851435 Well, Since they all have same key pair , I assume they are all related (as one system) and should be mentioned here. According to Items #8, 9, and 10 of Mozilla's CA Certificate Inclusion Policy , intermediate certificates must either be technically constrained or be audited and publicly disclosed. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates Can anyone from Wosign explain this situation? Mike _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy