On Tuesday, 18 October 2016 00:27:09 UTC+1, Kathleen Wilson  wrote:
> I’m not sure what I could reasonably require (and enforce) of the CA in 
> regards to communicating with their customers. 

As I understand it QiHoo 360 says they intend to co-operate in order to 
eventually get the new StartCom CA trusted. If they are unwilling to 
communicate with existing subscribers of both existing CAs effectively, it 
seems to me this is evidence of bad faith and excludes the possibility of the 
new CA being trusted by Mozilla (or in my opinion any right-thinking person).

So, essentially I'd argue that explaining Mozilla's decision to existing 
subscribers is a pre-requisite of any future trust for the new StartCom and 
Mozilla should emphasise that to QiHoo 360. The communication needn't walk 
through all Mozilla's findings, but it should clearly say what will happen (new 
certificates won't be trusted) and that QiHoo 360/ WoSign/ StartCom accept this 
as legitimate.
dev-security-policy mailing list

Reply via email to