This may be way off topic, if I apologise.
Looking a the available CAs many of them do not seem to pass the
/s//niff test//./ WoSign/Startcom are not alone in being found to be
either incompetent or dishonest. Which made me wonder if there might be
an alternative to CA issued certs. Is there anyway that DNS/DNSSEC could
be used to publish and verify certs.
JohnA
//
On 27/09/16 06:29 PM, Viktor Dukhovni wrote:
WoSign (who seemingly purchased StartCom) seem to have run into
some compliance issues as reported by Firefox:
http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/
Many SMTP servers are using certs from StartCom. In my DANE
adoption survey, out of 2201 certificates used by DANE MX
hosts 411 are issued by StartCom and 47 by WoSign. So that's
just over 20% of observed certificates. While the rate is
likely different for the larger SMTP ecosystem (DANE users
are bleeding edge, not representative at this time), I expect
that these CAs are still quite popular overall.
If you're using StartCom/WoSign certs, and rely on them being
verified by MUAs and/or peer MTAs. you may want to make
contingency plans if Mozilla and perhaps others go through
with delisting (or disabling) the related root CAs from
their trusted CA bundles.
