On Fri, 2 Sep 2016 11:19:18 +0100 Gervase Markham <[email protected]> wrote:
> On 31/08/16 19:13, Ryan Sleevi wrote: > > A) Remove the CA. Users may manually trust it if they re-add it, > > but it will not be trusted by default. > .... > > F) Distrust all certs with a notBefore date after date X, and require > the CA to apply for re-inclusion to get the distrust lifted. (I.e. > what happened to CNNIC.) It's theoretically possible for a CA to > backdate notBefore, but if they are logging everything to CT, that > will be noticable. And if they didn't log to CT, they would be > breaking their promise to log everything to CT, which would be > evidence of untrustworthiness. Considering that: 1. WoSign has already been caught backdating the notBefore date, and 2. A certificate has already been found which they didn't log to CT despite their assertion that they had logged all certificates, I don't think relying on the notBefore date is a viable option. WoSign seems to have such a poor handle on their operations that I think it would be inevitable that someone would find a certificate in the wild with a notBefore date in the past that had not been disclosed. What action would Mozilla take if that happened? Regards, Andrew _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
