WoSign/StartSSL 要完蛋了

2016-09-27 01:08:18 +08:00
 rio

https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview

Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.

We plan to distrust only newly-issued certificates to try and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses. Our proposal is that we determine “newly issued” by examining the notBefore date in the certificates. It is true that this date is chosen by the CA and therefore WoSign/StartCom could back-date certificates to get around this restriction. And there is, as we have explained, evidence that they have done this in the past. However, many eyes are on the Web PKI and if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots.

14328 次点击
所在节点    SSL
79 条回复
EricCartman
2016-09-27 01:22:39 +08:00
喜闻乐见,互联网上有些东西还真不敢用国产
Showfom
2016-09-27 02:02:14 +08:00
哈哈
Remember
2016-09-27 02:09:48 +08:00
喜大普奔
zk8802
2016-09-27 02:30:08 +08:00
这段话值得注意:
In our policy newsgroup, WoSign proposed that an appropriate response to this list of issues (or the subset of them known at the time they made their proposal, which did not include any of the SHA-1 backdating information) would be to constrain them to issuing in the China market only in future.

真的希望沃通的人不是认真的…
aritionkb
2016-09-27 03:51:36 +08:00
@zk8802 服了,只坑自己人
lslqtz
2016-09-27 04:34:38 +08:00
哈哈,那些想用沃通的去吧!
lslqtz
2016-09-27 04:38:17 +08:00
这非常棒,我已经开始更新。
http://osu.ppy.sh/ss/6188219
lslqtz
2016-09-27 04:41:45 +08:00
但我发现并没被不信任...
aprikyblue
2016-09-27 05:08:07 +08:00
@lslqtz 具体落实措施应该还要一段时间吧。。。更新啥的。。
aprikyblue
2016-09-27 05:16:54 +08:00
@lslqtz
哦,是新签发的不会再受信任。。

> We plan to distrust only newly-issued certificates to try and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses.
xrui
2016-09-27 06:33:13 +08:00
前几天上百度看见一个首页的新闻:「国内 CA 机构因使用国产加密算法可能会遭遇国外浏览器制裁」。心中一惊,仔细一看,断章取义,小题大做。论做文章的本领,果然是名不虚传。
我是赞同 Mozilla 的,但在不懂英语的人那里,大概 wosign 的问题将会被归结到使用了 sm2 。或许 Mozilla 又要被抵制了?
yexm0
2016-09-27 06:52:11 +08:00
做的好!
terence4444
2016-09-27 07:10:02 +08:00
如果我把根证书禁了会有哪些网站用不了?
alexyangjie
2016-09-27 07:21:28 +08:00
太好了。遇见到了这一天。
nvidiaAMD980X
2016-09-27 07:26:31 +08:00
大快人心!
kn007
2016-09-27 07:38:49 +08:00
干得漂亮
laoyur
2016-09-27 07:53:47 +08:00
想听听那些号称

『你不信任可以不用』
『把百度的吊销了,顶多百度的软件不会被安装。
把沃通吊销了,是一波网站不能用,还有购买付费证书的。

你吊不吊销可以,请不要到哪里都叫嚣着吊销。』

类似言论的现在怎么说
cnkuner
2016-09-27 08:11:10 +08:00
完蛋了
princeofwales
2016-09-27 08:34:32 +08:00
我们公司买的通配符证书,就是 wosign 的
没错,还是我采购的
明年 4 月到期
devz1984
2016-09-27 08:41:45 +08:00
这个。
影响代码签名证书吗?

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/309184

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX