[mrweasel]

That should serve as a clear warning to other certificate authorities. Behave or you will be ruined. For most CAs having either Apple, Mozilla, Microsoft or Google remove your root certificate will drive customers away to the point where you might as well close up shop.

[glasz]

nobody has been ruined just yet. and when i look at how sheepishly slow mozilla reacts my guess is nobody will ever really get thrown out of that club.

what they've done is clear. it's been misconduct as a ca. untrust them. done. fuck you.

[oasisbob]

Representatives of Google, Apple, and Mozilla have all dismissed the suitability of a fast reactionary nuclear approach.

There are plenty of innocent sites who use WoSign/Startcom certificates.

It's easy to be flippant when you're not actually responsible for a browser which users use, and need to worry about adverse side-effects. You kill WoSign overnight and you now have millions of users habituated to ignoring TLS errors, and now know how to override internal browser security settings.

Hope it was worth it.