On Thu, Oct 20, 2016 at 10:44:47PM -0500, Yang Yu wrote: > According to the bug, the current action affects new certificates > (including EV) only. > https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 > > imo StartCom/WoSign won't be able to issue legitimate certificates for > a while, but they can backdate just like they did before.
Mozilla are wise to that possibility: | However, many eyes are on the Web PKI and if such additional back-dating is | discovered (by any means), Mozilla will immediately and permanently revoke | trust in all WoSign and StartCom roots. See page 11 of: https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview The amazing list of wrong-doing documented by Mozilla doesn't give me much confidence these CAs will fully mend their ways, even if they resist the suicide of trying to back-date around the temporary ban. If I had any certificates issued by either, I'd be looking to promptly replace them with certificates from a different CA, partly so I didn't have to worry that they might try back-dating and my certificates would stop being trusted, but also who wants to do business with organisations like these? Cheers, Olly _______________________________________________ Gossip mailing list https://www.mail-archive.com/gossip@mail-archive.com https://www.mail-archive.com/cgi-bin/mailman/options/gossip