Comment WoSign's issues not just political... (Score 2) 57
The thing everyone jumped on WoSign for was doing a customer a favour. Some significant Australian customer wasn't ready for SHA1 certificates being phased out and asked if WoSign could help them out. WoSign issued back-dated SHA1 certificates for the customer.
Yep - and I'm pretty sure we know who that customer was. There are still major institutions still using SHA1 certs internally - and if they get moved to newer ones by the end of the year then I'd be shocked. The reality is, this stinks of a scapegoat - the industry in question would face *MASSIVE* disruption for the everyday Australian because of the relatively quick move to higher level certs. A lot of these are still contained within embedded devices that cannot upgrade so easily.
Instead, let's execute the CA for political reasons. Don't pretend its anything else.
Looking through the list on Mozilla's list of WoSign Issues it looks like WoSign not just issued
- long lived SHA1 certs
- identical certs other than the notbefore date
- certs with identical serials
- certs that violate the "Baseline Requirements"
- certs using unapproved cryptographic settings
but their setup also violated a number of other best practices and security measures too (such as unpatched servers). However I'll note that on the political front folks were unhappy that the Startcom acquisition wasn't made public earlier. Outside that though there are a lot of different technical complaints.
CA's have been dropped in the past for non-political problems (see DigiNotar) so I don't think it's fair to attribute WoSign's woes to purely political motivations as you alleged.