subject:"\[Gossip\] Replacing StartCom certificate"

Re: [Gossip] Replacing StartCom certificate

2016-10-21 Thread Ralph Corderoy

Hi Jeff,

> This quite a bummer, as it took a whole lot of paperwork to get that
> EV certificate which presumably will have to be redone with a new
> vendor.

Why bother with an EV?  Google don't, nor Facebook IIRC.  Go
LetsEncrypt?

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy

___
Gossip mailing list
https://www.mail-archive.com/gossip@mail-archive.com
https://www.mail-archive.com/cgi-bin/mailman/options/gossip

Re: [Gossip] Replacing StartCom certificate

2016-10-20 Thread Olly Betts

On Thu, Oct 20, 2016 at 10:44:47PM -0500, Yang Yu wrote:
> According to the bug, the current action affects new certificates
> (including EV) only.
> https://bugzilla.mozilla.org/show_bug.cgi?id=1311832
> 
> imo StartCom/WoSign won't be able to issue legitimate certificates for
> a while, but they can backdate just like they did before.

Mozilla are wise to that possibility:

| However, many eyes are on the Web PKI and if such additional back-dating is
| discovered (by any means), Mozilla will immediately and permanently revoke
| trust in all WoSign and StartCom roots.

See page 11 of:
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview

The amazing list of wrong-doing documented by Mozilla doesn't give me
much confidence these CAs will fully mend their ways, even if they resist the
suicide of trying to back-date around the temporary ban.

If I had any certificates issued by either, I'd be looking to promptly replace
them with certificates from a different CA, partly so I didn't have to worry
that they might try back-dating and my certificates would stop being trusted,
but also who wants to do business with organisations like these?

Cheers,
Olly

___
Gossip mailing list
https://www.mail-archive.com/gossip@mail-archive.com
https://www.mail-archive.com/cgi-bin/mailman/options/gossip

Re: [Gossip] Replacing StartCom certificate

2016-10-20 Thread Yang Yu

Hi Jeff,

According to the bug, the current action affects new certificates
(including EV) only.
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832

imo StartCom/WoSign won't be able to issue legitimate certificates for
a while, but they can backdate just like they did before.

On Thu, Oct 20, 2016 at 9:23 PM, Jeff Breidenbach  wrote:
> Thanks for the heads up. Highly appreciated. I'm impressed that you know the
> certificate
> vendor for The Mail Archive. I was not aware of the drama going on with
> StartCom.
> Is it correct that the removal only applies to new certificates, and
> therefore the
> deadline for action is May 3, 2017 when the current certificate expires? Or
> is it more
> urgent than that? Also, does the trust store removal include extended
> validation
> certificates? This quite a bummer, as it took a whole lot of paperwork to
> get that EV
> certificate which presumably will have to be redone with a new vendor.
>
>
>

___
Gossip mailing list
https://www.mail-archive.com/gossip@mail-archive.com
https://www.mail-archive.com/cgi-bin/mailman/options/gossip

Re: [Gossip] Replacing StartCom certificate

2016-10-20 Thread Jeff Breidenbach

Thanks for the heads up. Highly appreciated. I'm impressed that you know
the certificate
vendor for The Mail Archive. I was not aware of the drama going on with
StartCom.
Is it correct that the removal only applies to new certificates, and
therefore the
deadline for action is May 3, 2017 when the current certificate expires? Or
is it more
urgent than that? Also, does the trust store removal include extended
validation
certificates? This quite a bummer, as it took a whole lot of paperwork to
get that EV
certificate which presumably will have to be redone with a new vendor.
___
Gossip mailing list
https://www.mail-archive.com/gossip@mail-archive.com
https://www.mail-archive.com/cgi-bin/mailman/options/gossip

[Gossip] Replacing StartCom certificate

2016-10-18 Thread Yang Yu

Any plan to replace the StartCom certificate? StartCom is getting
removed from Mozilla and Apple trust store. Let's encrypt may be a
good alternative. Thanks.


Yang

___
Gossip mailing list
https://www.mail-archive.com/gossip@mail-archive.com
https://www.mail-archive.com/cgi-bin/mailman/options/gossip