After being pinged by Mozilla for issuing backdated SHA-1 certificates, Chinese certificate authority WoSign's owner has put the cleaners through the management of WoSign and StartCom. Mozilla put WoSign and StartCom on notice at the end of September. As part of its response, the company has posted around 200,000 certificates …
Monday 10th October 2016 06:44 GMT planetguy
Lost my trust
This is the same WoSign who issued a random guy a cert for "github.com", as written up at https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com ? To me it seems that they must either be incompetent or they just don't give a hoot. Either way, I don't trust them, and root CA maintainers shouldn't either.
Monday 10th October 2016 09:01 GMT Alan J. Wylie
Archived copy of Tyro's blog post about backdated SHA-1 certs
we made a decision to implement a temporary workaround to allow our small and medium-sized merchants to continue to transact. We reached out in good faith to certificate authorities to provide a few months runway to resolve this big challenge in a way that had minimal impact on merchants.
Monday 10th October 2016 09:44 GMT Brian of Romsey
A warning shot?
Perhaps this will prompt other CAs to review their behaviour, seeing as there actually are consequences. But don't hold your breath.
The possibility that WoSign / StartCom are the only companies running below par operations is very low. Perhaps this is Mozilla / Apple putting a warning shot across the (low end of the) industry's bows?