"However, many eyes are on the Web PKI and if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots." Could you elaborate a bit on concrete ways of discovering such backdating?
As WoSign itself suggested, they might only operate such shady practices in C=CN. Google is blocked there and hence renders Chrome's automatic certificate reporting useless. Most security researchers on this forum will not visit Chinese websites and have minimum chances of discovering such certs manually. If WoSign is not posting those certs to CT, are there any concrete proposal to detect them? Will there be an Internet wide scanning to compare certs issued in the wide with the logged CT data? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
