> On Sep 14, 2017, at 04:49, Gervase Markham via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > We should add the existing Certnomis cross-signs to OneCRL to revoke > all the existing certificates. As of 10th August (now a month ago) > StartCom said they have 50000 outstanding SSL certs which are valid due > to the Certnomis cross-sign. Revoking them all by adding intermediates > to OneCRL would therefore lead to non-negligible disruption. But these > were issued by an org whose most recent audits are qualified, which is > under sanction, and about whose issuance practices and process safety > there is a reasonable amount of doubt. We may allow a grace period for > customers to replace them with certs from a trusted provider.
I’m not yet convinced a grace period is necessary. StartCom does not list Firefox as a compatible browser on their website (they have the logos for Internet Explorer, Microsoft Edge, Android, and Windows). Additionally, there are multiple steps in the StartCom issuance flow that contain the following in red text: > Notice: > 1. Mozilla and Google decided to distrust all StartCom root certificates as > of 21st of October, 2016, meaning that since January all the SSL certificates > issued from that date will no longer be trusted in Firefox and Chrome newest > releases. > Besides, Google has gone further and as explained here: > https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html > will not trust even those SSL certificates issued before that date until the > final disruption. > Apple's decision announced on Nov 30th, 2016 was to distrust all StartCom > root certificates as of 1st of December, meaning that SSL cert issued after > December 1st, 2016 will no longer be trusted in Apple’s systems. > 2. Any subscribers that paid the validation fee after Oct. 21st, 2016 can get > full refund by request. > 3. Currently StartCom is able to provide an interim solution for organization > users in case of requested. > Meanwhile StartCom is updating all systems and is following all requirements > requested by Mozilla to regain the trust in these browsers and re-apply after > the 6 months time penalty. Given this explicit notification, I do not believe that subscribers would ever have had the expectation that their certificates would work with Firefox. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
