On Thu, Oct 20, 2016 at 1:57 PM, Kathleen Wilson <[email protected]> wrote: > 1) Distrust certificates with a notBefore date after October 21, 2016 which > chain up to the following affected roots. If additional back-dating is > discovered (by any means) to circumvent this control, then Mozilla will > immediately and permanently revoke trust in the affected roots. > a) This change will go into the Firefox 51 release train. > b) The code will use the following Subject Distinguished Names to identify > the root certificates, so that the control will also apply to > cross-certificates of these roots. > i) CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN > ii) CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN > iii) CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, > C=CN > iv) CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN > v) CN=StartCom Certification Authority, OU=Secure Digital Certificate > Signing, O=StartCom Ltd., C=IL > vi) CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
According to the wiki, Asseco Certum has cross-signed at least one of these roots. Is it expected that Certum will take any action, or do the above changes mean that Certum's cross-sign of WoSign will be considered to not exist for the purpose of Mozilla policy? Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
