[Cryptography] distrusted root CA: WoSign

[Tamzen Cannoy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It appears Apple has acted in this mess on Friday.

https://support.apple.com/kb/index?page=search&type=organic&src=support_searchbox_main&locale=en_US&q=wosign gives the position for macOS, iOS, tvOS, and watchOS.


—
Blocking Trust for WoSign CA Free SSL Certificate G2

Certificate Authority WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA. Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products.
In light of these findings, we are taking action to protect users in an upcoming security update.  Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.
To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.
As the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users.




Tamzen




-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: utf-8

wj8DBQFX8Hwa5/HCKu9Iqw4RAmwIAJ9aj1JFLltIgNLI3s3NRpKx6CiMjACgrJYN
b5LK2c6D5EaeVLvH2Iz/yB8=
=wtE2
-----END PGP SIGNATURE-----