Package Details: ca-certificates-blacklist-wosign 3.30.1-1

Git Clone URL: https://aur.archlinux.org/ca-certificates-blacklist.git (read-only)
Package Base: ca-certificates-blacklist
Description: A set of broken CAs' certificates which should not be trusted (WoSign only)
Upstream URL: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
Licenses: GPL, MPL
Submitter: hexchain
Maintainer: hexchain
Last Packager: hexchain
Votes: 3
Popularity: 0.000714
First Submitted: 2016-09-02 14:01
Last Updated: 2017-04-19 04:59

Latest Comments

fbis251 commented on 2017-05-18 18:37

What these packages enable you to do is to distrust them at the OS level. Any tools (curl, wget, etc) that use the OS certificate store will treat WoSign/CNNIC/Startcom certificates as untrusted. On the browser side, a lot of the new certificates aren't trusted anymore.

Chrome (Current version is 58)
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.

Firefox (Current version is 53)
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.

zatricky commented on 2017-05-18 17:00

Great find, this. Is there a discussion/decision process to make this unnecessary?

hexchain commented on 2016-09-04 03:34

@fbis251 Nice catch. Should be fixed now.

fbis251 commented on 2016-09-04 03:01

Hey, I was wondering if this certificate should be under CNNIC instead of WoSign?
Certification_Authority_of_WoSign_G2:2.16.107.37.218.138.136.157.124.188.15.5.179.177.122.97.69.68.crt