[Cryptography] distrusted root CA: WoSign
Jeroen van der Ham
jeroen at 1sand0s.nl
Sat Oct 1 14:31:01 EDT 2016
> On 01 Oct 2016, at 14:37, Georgi Guninski <guninski at guninski.com> wrote:
>
> On Fri, Sep 30, 2016 at 11:23:17AM -0700, John Denker wrote:
>>> Mozilla says it has lost confidence in WoSign's ability to protect
>>> HTTPS system
>>
>
> AFAICT, things are more complicated since WoSign bought StartCom and
> they have some cross-signatures, possibly to WoSign roots.
> So mozilla might have to ditch StartCom too, which will break a lot of
> stuff for the lusers.
Mozilla already announced they are planning to distrust StartCom, since WoSign has not been transparent about buying WoSign. Plus there are signs that they are even sharing infrastructure.
Apparently, when bugs were found in StartEncrypt several months ago, they also found a bug where it was possible to get StartEncrypt to issue a WoSign cert(!) for December 20th 2015.
They are planning to distrust future certs, so there is not that much stuff breaking for the “lusers”.
Jeroen.
More information about the cryptography
mailing list