[Cryptography] distrusted root CA: WoSign
Florian Weimer
fw at deneb.enyo.de
Sun Oct 2 15:41:58 EDT 2016
* Georgi Guninski:
> Don't get "distrust future certs". Mozilla either trust root(s) or not.
> Root(s) can trivially sign "old" cert requests, requiring old date now.
> Having in mind the chinese have the Startcom, roots, they can issue
> essentially whatever chaining up to root as long as the roots are trusted.
The idea is to whitelist certificates which have been logged to the
Certificate Transparency servers prior to a cut-off date. As long as
you trust the timestamps of those servers (or even just your previous
downloads you have kept), the CAs cannot backdate that.
More information about the cryptography
mailing list