|
|
|
|
|
|
by vtlynch
3553 days ago
|
|
|
Apple will continue to trust existing certs from WoSign (provided they are CT logged). New certs will not be trusted. mac OS will make this decision by first looking at signatures. It will receive the "end-entity" certificate (a cert for a specific site, like example.com) and while checking the chain, will see that there is a signature from the "WoSign CA Free SSL Certificate G2 intermediate CA" certificate. It will then look at the "notBefore" date listed in the certificate, which tells you when the certificate was issued. If it is a new certificate, it will not be trusted. If the certificate is preexisting (presumably issued before 9/19/16) it will be trusted ONLY if the certificate is CT logged. It will know if this is the case by looking for an SCT belonging to that certificate. The SCT will either be embedded directly in the certificate, or provided with the certificate during the SSL handshake (this is known as "stapling"). |
|
|
I doubt they'll do it this way. WoSign has only been embedding SCTs for all certificates since July and I wouldn't count on many webservers implementing SCT stapling. I expect Apple to ship a whitelist of hashes of certs that should be trusted instead.