https://bugs.kde.org/show_bug.cgi?id=369148
ase093 <logan...@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|WONTFIX |--- Status|RESOLVED |UNCONFIRMED --- Comment #8 from ase093 <logan...@gmail.com> --- https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview > Taking into account all the issues listed above, Mozilla’s CA team has lost > confidence in the ability of WoSign/StartCom to faithfully and competently > discharge the functions of a CA. Therefore we propose that, starting on a > date to be determined in the near future, Mozilla products will no longer > trust newly-issued certificates issued by either of these two CA brands. > We plan to distrust only newly-issued certificates to try and reduce the > impact on web users, as both of these CA brands have substantial outstanding > certificate corpuses. Our proposal is that we determine “newly issued” by > examining the notBefore date in the certificates. It is true that this date > is chosen by the CA and therefore WoSign/StartCom could back-date > certificates to get around this restriction. And there is, as we have > explained, evidence that they have done this in the past. However, many eyes > are on the Web PKI and if such additional back-dating is discovered (by any > means), Mozilla will immediately and permanently revoke trust in all WoSign > and StartCom roots. Mozilla has decided to not trust StartCom anymore. Although KDE is fine for now, the current StartCom certificate will expire in less than a year, before StartCom can start the readmission process. I still believe using Let's Encrypt, even though involving re-architecture, is a better move long-term. Anyway, your choice. -- You are receiving this mail because: You are watching all bug changes.