Final removal of trust in WoSign and StartCom Certificates

[Devon O'Brien]

Hello net-dev,

As previously announced, Chrome has been in the process of removing trust from certificates issued by the CA WoSign and its subsidiary StartCom, as a result of several incidents not in keeping with the high standards expected of CAs.

We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases.

Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.

Based on the Chromium Development Calendar, this change should be visible in the Chrome Dev channel in the coming weeks, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017.

Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users.

Cheers,

Devon O'Brien

[Steven Harper]

Thanks for the update, we had reports of Chrome Canary users seeing "Revoked Certificates"

Our certificate migration process has started, EV certs take about 4 weeks, so it's fairly close.

We had a StartCom cert issued in 2015 which was well before the WoSign shenanigans.

However the Forum here has been very helpful in sharing what the situation is, and we have hopefully caught this early enough to get new EV SSLs.