StartComs trovärdighet ifrågasätts
Efter att SSL-certifikatsleverantören StartCom i tysthet sålts till det kinesiska bolaget WoSign har integriteten och trovärdigheten i de certifikat som StartCom och WoSign signerat (och bakdaterat) ifrågasatts:
Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.
We plan to distrust only newly-issued certificates to try and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses. Our proposal is that we determine “newly issued” by examining the notBefore date in the certificates. It is true that this date is chosen by the CA and therefore WoSign/StartCom could back-date certificates to get around this restriction. And there is, as we have explained, evidence that they have done this in the past. However, many eyes are on the Web PKI and if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots.
Det blir allt svårare att inte dra hela den kinesiska IT-industrin över en kam. Jag har för övrigt blockerat all trafik från Kina i min brandvägg.