[JoshTriplett]

> But they will continue to "trust individual existing certificates" if they had been published to Certificate Transparency logs by September 19th.

This seems even more sensible than Mozilla's existing proposal to trust the certificate notBefore date until proof of further backdated certificates.

[hannob]

>> But they will continue to "trust individual existing certificates" if they had been published to Certificate Transparency logs by September 19th. > This seems even more sensible than Mozilla's existing proposal to trust the certificate notBefore date until proof of further backdated certificates.

The question is how they'll actually do that. This was discussed in the moz-sec-policy-thread and people came to the rough conclusion that there are just too many wosign/startcom certificates to whitelist them in any reasonable way.

[nixgeek]

In the context of macOS, shipping out even a 75MB bundle of trusted certificates is "not significant".

Bundling it into the browser would increase the download size by a substantial percentage, but 75MB as a 'security update' distributed through the App Store is comparatively tiny versus the 1GB+ which is typical for 10.11 to 10.11.1 style updates.