Slashdot Mirror
StartCom Will Stop Issuing Certificates, Revoking Them All in 2020 (startcomca.com)
thegarbz writes: Startcom, a certificate authority which as we covered previously has been distrusted by Mozilla, by Google, and recently also by Microsoft, has announced that it will cease trading as a Certificate Authority. While their website currently shows no indication that their certificates have any problems, a news posting has announced their intentions to stop providing certificates as of January 2018, and to revoke all remaining certificates in 2020.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.
Seems like selectively invalidating CAs based upon arbitrary criteria is the complete opposite of this. What's next, actively refusing to honor Symantec Class 3 certs because foxnews has one?
Are there any actual standards that have been violated, or is this a "we don't like this so have a good day" thing? It's ridiculous to make a decision that impacts the world if no actual standards or legal requirements were violated.
I don't really have a problem with revoking StarCom's root cert, but it does feel a little bit like singling out the Chinese. Why is COMODO still trusted after they were shown to have terrible security, Symentec after they were handing out certs for google.com to random people and a number of other dubious practices, and the Turkish and Iranian CAs after they were caught signing anything their respective intelligence agencies asked them to? Most of these sound more severe than StartCom's lapses, yet I note that all four of these are still in the default-trusted set for Google, Mozilla, and so on. I'd love to see the standards enforced more vigorously, but uniformly.
I am TheRaven on Soylent News