|
|
|
|
|
|
by oasisbob
3553 days ago
|
|
|
My read on the announcement is that they won't be taking action against the StartCom CA & intermediates at this time. The WoSign existing-certs exemption probably involves a whitelist they're shipping along with the OS. A lot of the feasibility discussions on this approach have centered on the size of the required whitelist [1]. Taking the same approach with StartCom may not be possible due to the scale. Also, StartCom certificates don't have the same coverage in the Certificate Transparency logs - so the certificate dating is problematic. Hmmm, thinking about this now, if I were Wosign, I would be having a fire sale on StartCom. Selling the brand immediately (maybe to an existing competent CA) and asking the trust store operators for understanding (probably conditioned on full CT reporting) might be a way to recoup some losses out of all this mess. Representatives of Qihoo 360, StartCom, and Mozilla are meeting in London next week. I'm very curious what they will be discussing. [2] [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/...
[2] https://groups.google.com/d/msg/mozilla.dev.security.policy/... |
|
|