On 2016-09-28 00:31, Giovanni Harting wrote: > Correct me if I'm wrong, but that document you describe issues by > Mozilla and others, doesn't it state that it would only affect new > issues certs after a certain date?
Yes, but most StartSSL/WoSign certificates are only valid for a year or less. So customers should start looking for alternative providers *now*, because a year-long block will affect almost all of them. > Am 09/28/16 um 00:29 schrieb Viktor Dukhovni: >> WoSign (who seemingly purchased StartCom) seem to have run into >> some compliance issues as reported by Firefox: >> >> >> http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/ >> >> >> Many SMTP servers are using certs from StartCom. In my DANE >> adoption survey, out of 2201 certificates used by DANE MX >> hosts 411 are issued by StartCom and 47 by WoSign. So that's >> just over 20% of observed certificates. While the rate is >> likely different for the larger SMTP ecosystem (DANE users >> are bleeding edge, not representative at this time), I expect >> that these CAs are still quite popular overall. >> >> If you're using StartCom/WoSign certs, and rely on them being >> verified by MUAs and/or peer MTAs. you may want to make >> contingency plans if Mozilla and perhaps others go through >> with delisting (or disabling) the related root CAs from >> their trusted CA bundles. >> > -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwe...@tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167
signature.asc
Description: OpenPGP digital signature