Correct me if I'm wrong, but that document you describe issues by
Mozilla and others, doesn't it state that it would only affect new
issues certs after a certain date?
Am 09/28/16 um 00:29 schrieb Viktor Dukhovni:
WoSign (who seemingly purchased StartCom) seem to have run into
some compliance issues as reported by Firefox:
http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/
Many SMTP servers are using certs from StartCom. In my DANE
adoption survey, out of 2201 certificates used by DANE MX
hosts 411 are issued by StartCom and 47 by WoSign. So that's
just over 20% of observed certificates. While the rate is
likely different for the larger SMTP ecosystem (DANE users
are bleeding edge, not representative at this time), I expect
that these CAs are still quite popular overall.
If you're using StartCom/WoSign certs, and rely on them being
verified by MUAs and/or peer MTAs. you may want to make
contingency plans if Mozilla and perhaps others go through
with delisting (or disabling) the related root CAs from
their trusted CA bundles.
