top | item 33877290

(no title)

jannic | 3 years ago

> Certificates signed by TrustCor that were issued before December 1st will still be trusted (for now); certificates issued on December 1st or later will not be.

How does this work? If TrustCor is no longer trusted, what keeps them from creating certificates which claim to be issued before December 1st, even after that date?

discuss

pimterry|3 years ago

> what keeps them from creating certificates which claim to be issued before December 1st, even after that date?

See https://groups.google.com/a/mozilla.org/g/dev-security-polic... for the actions proposed depending on how the TrustCor situation plays out:

> If there is reason to believe that the CA has mis-used certificates or the CA backdates certificates to bypass the distrust-after settings, then remove the root certificates from Mozilla’s root store in an expedited timeline, without waiting for the end-entity certificates to expire.

Right now, they're being slowly removed for poor behaviour in general, but there's no direct evidence of abuse of CA powers. If any clear evidence of that appears in future, including backdating certificates, then they'll be completely removed from the trust store immediately.

AceJohnny2|3 years ago

Certificate Transparency [1]: Public logs of issued certificates.

[1] https://en.wikipedia.org/wiki/Certificate_Transparency

daveoc64|3 years ago

Assuming the untrusted and unreliable CA actually follows the rules and publishes things to the CT log.