Slashdot Mirror
StartCom Will Stop Issuing Certificates, Revoking Them All in 2020 (startcomca.com)
thegarbz writes: Startcom, a certificate authority which as we covered previously has been distrusted by Mozilla, by Google, and recently also by Microsoft, has announced that it will cease trading as a Certificate Authority. While their website currently shows no indication that their certificates have any problems, a news posting has announced their intentions to stop providing certificates as of January 2018, and to revoke all remaining certificates in 2020.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.
So Startcom will rename to Stopcom? Cute.
Where did you see this?
I'm pretty sure nospam007 read that in Woosh Magazine.
#DeleteFacebook
Seems like selectively invalidating CAs based upon arbitrary criteria is the complete opposite of this. What's next, actively refusing to honor Symantec Class 3 certs because foxnews has one?
instead of buying one cert from one authority, perhaps they want us to buy a cert from every authority. profits!
“Common sense is not so common.” — Voltaire
https://arstechnica.com/information-technology/2017/07/google-drops-the-boom-on-wosign-startcom-certs-for-good/
This doesn't seem like an agenda. Its more like if i write a bunch of bad checks, people will stop accepting my checks because i have broken the trust in my credit worthiness.
Back dating security certs and failing to follow the rules the cert companies have to follow to maintain trust seems like a good reason to stop trusting them.
This is wonderful!
Of course, I expect them to rebrand and be back in business doing the same thing, and making money off of it again within a year. As long as there are shady people wanting certificates, there will be shady companies willing to supply them.
Are there any actual standards that have been violated, or is this a "we don't like this so have a good day" thing? It's ridiculous to make a decision that impacts the world if no actual standards or legal requirements were violated.
Dear customer,
As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years.
StartCom would like to thank you for your support during this difficult time.
StartCom is contacting some other CAs to provide you with the certificates needed. In case you dont want us to provide you an alternative, please, contact us at certmaster@startcomca.com
Please let us know if you need any further assistance with the transition process. We deeply apologize for any inconveniences that this may cause.
Best regards,
StartCom Certification Authority
I don't think their existing customers expect their details to be passed on to the CA's so they can offer their services. Sounds like another way for a dying business to monetise their remaining assets.
Being a CA requires behaviour beyond reproach - such as acting above, beyond any possibility of suspicion.
You are suggesting that the behaviour should be "adheres to some standard". Not good enough - the security landscape changes too fast - it has to be a standard such as "demonstrates commitment to ensuring the security and privacy of all". Reports are that they have not managed this standard of behaviour, ethos and culture.
Writing a pile of rules merely guarantees they will adhere to that pile of rules. Nothing more. Not the spirit of the rules, that's for sure.
I'm pretty sure nospam007 read that in Woosh Magazine.
I can't find that magazine. Did you spell it correctly?
Is it just me who is concerned that browser makers now rule like kings over the internet? They now have the power to make or break any company in the world by putting pressure onto certificate authorities, and/or simply unrecognising whoever they want. If ever there was a case for government regulation this is surely it. Maybe startcom deserved to get smacked down, I have no idea. But it's the principle of the thing.
Yes, there are actual standards: https://cabforum.org/documents...
StartCom was the best option for multiple certificates. Their price model was vastly better and I wonder if they are having a hard time getting re-certified because the other CAs didn’t like their model.
You paid for validation not per cert.
Tier 1 was free and the certs were good for a year. Domain/Email control is all that was validated.
Tier 2 was your name, and it was $50 a year, but your certs were valid for 2 years. This allowed you to have your name in your email cert and basic checks were performed for domain certs. You were also allowed one Code Cert.
Tier 3 was more for Organizations or EV certs. Another $50 and the certs were good for 3 years. You could also have code cert with your organization name in it.
$100 every 3 years could get you UNLIMITED Domain, Email, and two Code certs. One in your name and one in your organization name. The best deal if you ask me. I had 5 email certs and 10 domain certs for $25/year as I only needed to verify once two years.
The problem started when they were bought by Wosign
https://www.wosign.com/english...
Then the shady things that got them revoked started happening and now they are closing shop. My same needs will cost close to a thousand dollars a year.
Dan
Perhaps you are looking for http://whooshmagazine.com/
I don't really have a problem with revoking StarCom's root cert, but it does feel a little bit like singling out the Chinese. Why is COMODO still trusted after they were shown to have terrible security, Symentec after they were handing out certs for google.com to random people and a number of other dubious practices, and the Turkish and Iranian CAs after they were caught signing anything their respective intelligence agencies asked them to? Most of these sound more severe than StartCom's lapses, yet I note that all four of these are still in the default-trusted set for Google, Mozilla, and so on. I'd love to see the standards enforced more vigorously, but uniformly.
I am TheRaven on Soylent News
Nope sorry, not helping, got a source in English?
There are issues with Symantec and particular CA were revoked, a lot of them regional and not very newsworthy.
The mailing lists of the individual browsers capture some of the drama but most CA actually try to fix the issues, StartCom just made things worse as they went along.
They sold themselves to another CA and started signing and backdating certificates, then when people made a complaint of that all they did was spin off the company to a shell company simply to disassociate them from the name but the same company and people were still in charge.
Then they got hacked and when heartbleed came along it was proven that they had someoneâ(TM)s certificates stolen, they refused to retract the certificate until their customer paid them to retract it.
StartComs business model was to profit of customers that found themselves in a bind. It backfired on them.
Custom electronics and digital signage for your business: www.evcircuits.com
See subject: It's either always getting BROKEN (forcing devs who use libs like OpenSSL to reissue apps & libs for it + change the call parms from the reissued SSL libs too) or this happens (screwups, intentional OR not, are always going on with the issuers).
*... & Google is FORCING THIS down user's throats? Follow the money & know why!
(In a nutshell - this SSL shit keeps getting broken (just like program certs from Comodo & others in 'code-signing') or goes shitty in 1 way, shape, or form...)
They ought to rephrase the acronym for it as "SuperslowShittyLibs" instead!
APK
P.S.=> To top it all off, the crap SLOWS YOU DOWN - & they want YOUR MONIES for this busted slow shit? WTF!... apk
Backup your bs w/ proof OrangeTide https://it.slashdot.org/comments.pl?sid=11425437&cid=55663429/ provide proof of me picking on you 'for years' as you said in the post parent to mine in that link I just posted - you can't.
(If I had issues w/ you I'd have bookmarked it & I never have before YOU came in calling me a "git" (fool) starting hassles!)
* Additionally - CLASSIC & PRICELESS:
I also CAUGHT YOU posting UNIDENTIFIABLE AC vs. using your registered 'lusername' yet you point to YOUR POST that was done under your REGISTERED 'lusrname' claiming it too (YOU = FLATOUT-BUSTED -> https://slashdot.org/comments.pl?sid=11432439&cid=55667787/ )
SEE YOU DOWNMOD HID THIS 10x TIMES I POSTED IT TOO https://slashdot.org/comments.pl?sid=11430293&cid=55668641/ & https://slashdot.org/comments.pl?sid=11433711&cid=55669021/ + https://slashdot.org/comments.pl?sid=11432725&cid=55669055/ https://slashdot.org/comments.pl?sid=11432725&cid=55669519/ https://slashdot.org/comments.pl?sid=11430293&cid=55669493/ https://slashdot.org/comments.pl?sid=11432483&cid=55666417/ https://slashdot.org/comments.pl?sid=11433711&cid=55669449/ https://slashdot.org/comments.pl?sid=11434053&cid=55670435/ https://slashdot.org/comments.pl?sid=11433711&cid=55671621/ https://slashdot.org/comments.pl?sid=11433711&cid=55672301/ trying to hide it!
APK
P.S.=> This is the 24th time you've done a "Run, Forrest: RUN!!!" vs. it OrangeTide - why's that? I caught you lying?? Cat got your tongue??? Yes, obviously - pitiful... apk