> > Should StartCom/WoSign be permitted to re-apply using the same roots, > > or would they need new roots? > > New roots. Considering the extent to which StartCom/WoSign have > mismanaged things, there could be further misissued certificates > chaining to their roots that we don't know about. The only way to > protect the ecosystem from such certificates is to require new roots - > roots that have only ever operated under the new audits that will be > required by Mozilla. > > Regards, > Andrew
I agree that they should need new roots. But on top of the points Andrew makes, it would also require StartCom and WoSign to get cross-signed if they wish to continue supporting older devices that lack their new roots. They would have to regain the trust of another root CA who would be willing to cross-sign their new roots. Or else StartCom and WoSign would have to accept that new certificates created under their new root may not work on older devices, since older computers and embedded devices aren't always able to update their root stores. Assuming they want new certificates to work on older devices, I imagine the need to be cross-signed would create another point of trust, since another CA willing to cross-sign would do their own audit and have added requirements. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
