https://bugs.kde.org/show_bug.cgi?id=369148
ase093 <logan...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|WONTFIX |---
Status|RESOLVED |UNCONFIRMED
--- Comment #8 from ase093 <logan...@gmail.com> ---
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview
> Taking into account all the issues listed above, Mozilla’s CA team has lost
> confidence in the ability of WoSign/StartCom to faithfully and competently
> discharge the functions of a CA. Therefore we propose that, starting on a
> date to be determined in the near future, Mozilla products will no longer
> trust newly-issued certificates issued by either of these two CA brands.
> We plan to distrust only newly-issued certificates to try and reduce the
> impact on web users, as both of these CA brands have substantial outstanding
> certificate corpuses. Our proposal is that we determine “newly issued” by
> examining the notBefore date in the certificates. It is true that this date
> is chosen by the CA and therefore WoSign/StartCom could back-date
> certificates to get around this restriction. And there is, as we have
> explained, evidence that they have done this in the past. However, many eyes
> are on the Web PKI and if such additional back-dating is discovered (by any
> means), Mozilla will immediately and permanently revoke trust in all WoSign
> and StartCom roots.
Mozilla has decided to not trust StartCom anymore. Although KDE is fine for
now, the current StartCom certificate will expire in less than a year, before
StartCom can start the readmission process. I still believe using Let's
Encrypt, even though involving re-architecture, is a better move long-term.
Anyway, your choice.
--
You are receiving this mail because:
You are watching all bug changes.
