[Cryptography] distrusted root CA: WoSign
Christian Huitema
huitema at huitema.net
Sun Oct 2 16:17:53 EDT 2016
On Sunday, October 2, 2016 3:50 AM, Georgi Guninski wrote:
>
> On Sat, Oct 01, 2016 at 08:31:01PM +0200, Jeroen van der Ham wrote:
>> ...
>> They are planning to distrust future certs, so there is not that much stuff breaking for the “lusers”.
> ...
> Don't get "distrust future certs". Mozilla either trust root(s) or not.
> Root(s) can trivially sign "old" cert requests, requiring old date now.
>From what I read, Mozilla will use the "certificate transparency" archives. Certificates that were registered in the CT lists before the cut-off date will be considered old. Everything else is new, regardless of the date in the certificate. Looks like a great use of CT to reduce the power of the CA.
-- Christian Huitema
More information about the cryptography
mailing list