> On Sep 27, 2016, at 6:31 PM, Giovanni Harting <5...@idlegandalf.com> wrote:
> 
> Correct me if I'm wrong, but that document you describe issues by Mozilla and 
> others, doesn't it state that it would only affect new issues certs after a 
> certain date?

Yes, quote:

    Taking into account all the issues listed above, Mozilla's CA
    team has lost confidence in the ability of WoSign/StartCom to
    faithfully and competently discharge the functions of a CA.
    Therefore we propose that, starting on a date to be determined
    in the near future, Mozilla products will no longer trust
    newly-issued certificates issued by either of these two CA
    brands.

    We plan to distrust only newly-issued certificates to try and
    reduce the impact on web users, as both of these CA brands have
    substantial outstanding certificate corpuses. Our proposal is
    that we determine "newly issued" by examining the notBefore
    date in the certificates. It is true that this date is chosen
    by the CA and therefore WoSign/StartCom could back-date
    certificates to get around this restriction. And there is, as
    we have explained, evidence that they have done this in the
    past. However, many eyes are on the Web PKI and if such additional
    back-dating is discovered (by any means), Mozilla will immediately
    and permanently revoke trust in all WoSign and StartCom roots.

-- 
-- 
        Viktor.

Reply via email to