> if you don't punish ... ppl who don't do research first, things will deteriorate rapidly.
Is there a way customers would have or could have known beforehand that this CA was fishy? I agree that the CA should be punished/ostracized, but it isn't obvious to me that most of its customers would have known they were a fishy CA.
" It's 2015. They're using SHA-1 for everything (NOOOO!). They're based in China, which has just said it wants to ban encryption. It looks like they've messed up OSCP, so even their own cert doesn't pass. Oh, and RC4, TLS 1.0 "
Politicians in the US and UK have also claimed they want to ban encryption. Unless the CA is literally run by the government (which some Chinese CAs are, but not this one), it doesn't make sense to penalize them for dumb things their country's politicians say.
I wouldn't say it's out of context, I was clearly stating my worries when this CA was discussed here a couple of years ago.
I think something should be done, but it's not my call of course. Given we do have Let's Encrypt now, I wouldn't feel in the least bit sad in revoking the WoSign certs. Anyone affected can, and should, change.
It's disappointing to see my concerns back then were well-placed, and there are clear indications StartCom's and WoSign's backends are connected together somehow?! I don't know what's going on there exactly, and someone should definitely find out.
Is there a way customers would have or could have known beforehand that this CA was fishy? I agree that the CA should be punished/ostracized, but it isn't obvious to me that most of its customers would have known they were a fishy CA.