|
|
|
|
|
|
by byuu
3553 days ago
|
|
|
Sorry if this is obvious to others, but just to be clear ... As it's widely reported that WoSign has taken over StartCom's infrastructure, this implies that StartCom StartSSL Free certificates going forward won't be trusted by Apple either, correct? It also sounds a little strange to only call out the free certificates. Are they going to allow new paid OV/EV (and what they call 'IV') certificates to remain valid? |
|
|
The WoSign existing-certs exemption probably involves a whitelist they're shipping along with the OS. A lot of the feasibility discussions on this approach have centered on the size of the required whitelist [1]. Taking the same approach with StartCom may not be possible due to the scale. Also, StartCom certificates don't have the same coverage in the Certificate Transparency logs - so the certificate dating is problematic.
Hmmm, thinking about this now, if I were Wosign, I would be having a fire sale on StartCom. Selling the brand immediately (maybe to an existing competent CA) and asking the trust store operators for understanding (probably conditioned on full CT reporting) might be a way to recoup some losses out of all this mess.
Representatives of Qihoo 360, StartCom, and Mozilla are meeting in London next week. I'm very curious what they will be discussing. [2]
[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/... [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/...