On 4/28/17, Eric Mill via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
> On Fri, Apr 28, 2017 at 4:16 AM, Richard Wang via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> This Google decision’s problem is some big websites used a domain that not
>> listed in Alexa 1M suffered disruption, for example, Qihoo 360’s search
>> site and online gaming sites used a domain in CDN for pictures that not
>> listed in Top 1M,
>>
>
> That's a plausible and interesting point about gauging impact to the Alexa
> Top 1M. If the goal is to avoid affecting them, analyzing the resources
> they pull from other origins has to be part of that.

I think the goal is still full distrust - see
 https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
    Beginning with Chrome 56, certificates issued by WoSign and
StartCom after October 21, 2016 00:00:00 UTC will not be trusted.
  <.. snip ..>
    In subsequent Chrome releases, these exceptions will be reduced
and ultimately removed, culminating in the full distrust of these CAs.
This staged approach is solely to ensure sites have the opportunity to
transition to other Certificate Authorities that are still trusted in
Google Chrome, thus minimizing disruption to users of these sites.

Lee
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to