[Cryptography] distrusted root CA: WoSign
Georgi Guninski
guninski at guninski.com
Sun Oct 2 06:49:54 EDT 2016
On Sat, Oct 01, 2016 at 08:31:01PM +0200, Jeroen van der Ham wrote:
> Mozilla already announced they are planning to distrust StartCom, since WoSign has not been transparent about buying WoSign. Plus there are signs that they are even sharing infrastructure.
> Apparently, when bugs were found in StartEncrypt several months ago, they also found a bug where it was possible to get StartEncrypt to issue a WoSign cert(!) for December 20th 2015.
>
> They are planning to distrust future certs, so there is not that much stuff breaking for the “lusers”.
>
Startcom were big CA, maybe something like 6th biggest in the world.
Their customers will be pissed off for killing the certificates.
Don't get "distrust future certs". Mozilla either trust root(s) or not.
Root(s) can trivially sign "old" cert requests, requiring old date now.
Having in mind the chinese have the Startcom, roots, they can issue
essentially whatever chaining up to root as long as the roots are trusted.
More information about the cryptography
mailing list