Re: [Gossip] Replacing StartCom certificate
Hi Jeff, > This quite a bummer, as it took a whole lot of paperwork to get that > EV certificate which presumably will have to be redone with a new > vendor. Why bother with an EV? Google don't, nor Facebook IIRC. Go LetsEncrypt? -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gossip mailing list https://www.mail-archive.com/gossip@mail-archive.com https://www.mail-archive.com/cgi-bin/mailman/options/gossip
Re: [Gossip] Replacing StartCom certificate
On Thu, Oct 20, 2016 at 10:44:47PM -0500, Yang Yu wrote: > According to the bug, the current action affects new certificates > (including EV) only. > https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 > > imo StartCom/WoSign won't be able to issue legitimate certificates for > a while, but they can backdate just like they did before. Mozilla are wise to that possibility: | However, many eyes are on the Web PKI and if such additional back-dating is | discovered (by any means), Mozilla will immediately and permanently revoke | trust in all WoSign and StartCom roots. See page 11 of: https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview The amazing list of wrong-doing documented by Mozilla doesn't give me much confidence these CAs will fully mend their ways, even if they resist the suicide of trying to back-date around the temporary ban. If I had any certificates issued by either, I'd be looking to promptly replace them with certificates from a different CA, partly so I didn't have to worry that they might try back-dating and my certificates would stop being trusted, but also who wants to do business with organisations like these? Cheers, Olly ___ Gossip mailing list https://www.mail-archive.com/gossip@mail-archive.com https://www.mail-archive.com/cgi-bin/mailman/options/gossip
Re: [Gossip] Replacing StartCom certificate
Hi Jeff, According to the bug, the current action affects new certificates (including EV) only. https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 imo StartCom/WoSign won't be able to issue legitimate certificates for a while, but they can backdate just like they did before. On Thu, Oct 20, 2016 at 9:23 PM, Jeff Breidenbachwrote: > Thanks for the heads up. Highly appreciated. I'm impressed that you know the > certificate > vendor for The Mail Archive. I was not aware of the drama going on with > StartCom. > Is it correct that the removal only applies to new certificates, and > therefore the > deadline for action is May 3, 2017 when the current certificate expires? Or > is it more > urgent than that? Also, does the trust store removal include extended > validation > certificates? This quite a bummer, as it took a whole lot of paperwork to > get that EV > certificate which presumably will have to be redone with a new vendor. > > > ___ Gossip mailing list https://www.mail-archive.com/gossip@mail-archive.com https://www.mail-archive.com/cgi-bin/mailman/options/gossip
Re: [Gossip] Replacing StartCom certificate
Thanks for the heads up. Highly appreciated. I'm impressed that you know the certificate vendor for The Mail Archive. I was not aware of the drama going on with StartCom. Is it correct that the removal only applies to new certificates, and therefore the deadline for action is May 3, 2017 when the current certificate expires? Or is it more urgent than that? Also, does the trust store removal include extended validation certificates? This quite a bummer, as it took a whole lot of paperwork to get that EV certificate which presumably will have to be redone with a new vendor. ___ Gossip mailing list https://www.mail-archive.com/gossip@mail-archive.com https://www.mail-archive.com/cgi-bin/mailman/options/gossip
[Gossip] Replacing StartCom certificate
Any plan to replace the StartCom certificate? StartCom is getting removed from Mozilla and Apple trust store. Let's encrypt may be a good alternative. Thanks. Yang ___ Gossip mailing list https://www.mail-archive.com/gossip@mail-archive.com https://www.mail-archive.com/cgi-bin/mailman/options/gossip