On 4/28/17, Eric Mill via dev-security-policy <firstname.lastname@example.org> wrote: > On Fri, Apr 28, 2017 at 4:16 AM, Richard Wang via dev-security-policy < > email@example.com> wrote: > >> This Google decision’s problem is some big websites used a domain that not >> listed in Alexa 1M suffered disruption, for example, Qihoo 360’s search >> site and online gaming sites used a domain in CDN for pictures that not >> listed in Top 1M, >> > > That's a plausible and interesting point about gauging impact to the Alexa > Top 1M. If the goal is to avoid affecting them, analyzing the resources > they pull from other origins has to be part of that.
I think the goal is still full distrust - see https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. <.. snip ..> In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites. Lee _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy