On 26/10/16 01:27, Percy wrote: > WoSign will roll out a globally trusted intermediate cert to sign new > certs with the existing WoSign system that had so many control > failures. > > Does Mozilla and this community accept such a work-around for WoSign? > If we do, then what's the point of distrust those WoSign root certs? > If not, then what's an appropriate response for WoSign's > announcement?
Has WoSign publicly stated that this will be an intermediate certificate for which they hold the private key, or could this simply mean they'll act as a (kind of) white-label reseller for some other CA until they've completed the (re-)application process? I don't think Mozilla should allow WoSign to use a new cross-signed intermediate under their control until they've completed the application process, but I don't see the problem if they plan to act as a reseller for now to keep their business operational. If this is indeed Mozilla's policy on this issue (and not just my opinion), it might be worth thinking about communicating this to CAs to avoid trouble down the line. Hopefully WoSign will be able to comment on this and clarify their plans. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy