Tan said, for StartCom and WoSign’s infrastructure, the PKI servers were/are shared, the CRL/OCSP, TSA code were cloned and the StartCom and WoSign shared the software development team.
Also some management team are shared I assume since Richard Wang approved Tyro's backdated cert from StartCom. As we saw most problems discovered are either due to software development(issue F,H,L,N,V) or management (issue S,P,R). And those team were shared between WoSign and StartCom at the time of the incidents. Consequently, at the time of the incidents, they're the same entity with regards to those issues. So I agree with the opinion that " If their operations are, in the future, functionally separated, then they can be considered for reinclusion separately. However, for the purposes of what to do about them over *past* actions, when they were a single operational entity, their actions should be considered as such. " _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
