[Cryptography] distrusted root CA: WoSign

[John Denker]

In case you missed it:

http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/

> There are several hundred authorities trusted by Firefox and other
> major browsers, and each of them represents a single point of failure
> that has the potential to take down all, or at least large portions,
> of the trusted Web as we know it. The fragility clearly isn't lost on
> Mozilla, and it shouldn't be lost on anyone else, either.

In general, why do we put up with this?  Why, why, why?

---------------------------------------
In particular:

> Mozilla says it has lost confidence in WoSign's ability to protect 
> HTTPS system

> To satisfy customers who experienced difficulty retiring the old
> [SHA-1] hashing function, WoSign continued to use it anyway and
> concealed the use by dating certificates prior to the first of this
> year, Mozilla officials said. They also accused WoSign of improperly
> concealing its acquisition of Israeli certificate authority StartCom,
> which was used to issue at least one of the improperly issued
> certificates.

Mozilla reportedly intends to take action "in the near future" but
no specific date was announced.  Also it's not clear what the Beast
of Redmond plans to do.

Suggestion to speed things along:  Here's what I did on my Ubuntu systems:
  :; cd /usr/share/ca-certificates/mozilla
  :; mkdir deprecated
  :; mv *WoSign* deprecated/