[alcari]

We can do it without breaking websites: a TLS implementer could reject all certificates issued by a particular CA after a certain date.

(For the obvious issue) WoSign's recent certificates are in the CT logs and they're promising to put in all their 2015 certificates as well, so they could be whitelisted.

[0x0]

One of the problems here was that they were back-dating certificates...

[alcari]

That's what I included "for the obvious issue": even in the backdated certificates they still have "reasonable" notAfter dates, and we (will) have a list of every certificate they've issued in the relevant time span.

Some people are also calling for every certificate they've ever issued to be added to the CT logs, but I doubt that'll happen.