> On Sep 27, 2016, at 6:31 PM, Giovanni Harting <5...@idlegandalf.com> wrote:
>
> Correct me if I'm wrong, but that document you describe issues by Mozilla and
> others, doesn't it state that it would only affect new issues certs after a
> certain date?
Yes, quote:
Taking into account all the issues listed above, Mozilla's CA
team has lost confidence in the ability of WoSign/StartCom to
faithfully and competently discharge the functions of a CA.
Therefore we propose that, starting on a date to be determined
in the near future, Mozilla products will no longer trust
newly-issued certificates issued by either of these two CA
brands.
We plan to distrust only newly-issued certificates to try and
reduce the impact on web users, as both of these CA brands have
substantial outstanding certificate corpuses. Our proposal is
that we determine "newly issued" by examining the notBefore
date in the certificates. It is true that this date is chosen
by the CA and therefore WoSign/StartCom could back-date
certificates to get around this restriction. And there is, as
we have explained, evidence that they have done this in the
past. However, many eyes are on the Web PKI and if such additional
back-dating is discovered (by any means), Mozilla will immediately
and permanently revoke trust in all WoSign and StartCom roots.
--
--
Viktor.
