Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The root cert for www.schrauger.com is StartCom Certificate Authority. Isn't it their (StartCom's) responsibility to make sure the owner of Certification Authority of WoSign (the next cert in the chain) is acting in accord with some terms and conditions? Secondly, should the browser vendors remove StartCom CA as a trusted root? Do they not do that because all the StsrtSSL sites would break? Fine with me, personally.

[Edited to clarify who "their" meant]



WoSign is included as a root certificate. When they first started, they weren't in all browser stores, so StartCom cross-signed their root certificate.

That way, WoSign could create certificates while they waited for browsers to update with their root certificate. It also helps for legacy/embedded systems that don't get updates, since StartCom has existed far longer. Due to the cross-sign, all WoSign certificates are still compatible.


OK thanks. Doesn't StartCom bear responsibility for the behavior of the entity they cross-signed for?


Supposedly they were bought by WoSign

http://letsphish.clonezone.link/part1

I say supposedly because this is an archive of the original domain

https://www.letsphish.org/

which now says

  > September 1, 2016:
  > I'm currently going under legal review of the site.
  > Content will not be available during this period.


IIRC not in this case because WoSign had been accepted as a root, it just wasn't in all browsers yet. LetsEncrypt went through the same process -- it was accepted, but it takes time for root store updates to reach all consumers so in the meantime it was cross signed by some other ca. That ca has no responsibility here, since letsencrypt was itself accepted as a CA and was a peer (and is thus fully responsible for its own actions)




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: