So the browser community has spoken, and WoSign is toast. For the purposes of this blog, I’ve selected the iconic image of Ted “Theodore” Logan (get it, because “woah”) as our mascot for this awesome news.
The deal is that now, Microsoft, Google, Apple, and Mozilla have all concluded that WoSign is just way too shady for anybody to rely on it by default. Like, for example that time they gave some random dude a certificate for GitHub. That seriously wasn’t good. And now they don’t.
I wrote a while back on why it was really fluxoring important that we, as an industry, remove shadiness from the various trusted CA lists. Why? Because the economics of the public PKI are such that there is continuous downward pressure on the security of individual players within it. If you don’t believe me that that’s true, go read the original post — it takes a while to get there, but it’s a fact jack.
Anyway, getting rid of WoSign is a useful step and keeps me optimistic that folks are taking these things seriously. I still think that long-term, the answer is for additional teeth and scrutiny for the CAB Forum Baseline Requirements. Because having a trusted, not-for-profit, transparent entity maintaining the list of “shady” vs. “not shady” seems less “conflict of interest-ey” to me compared to each browser vendor ensuring compliance with the standard (not to mention it would streamline and strengthen the vetting process). But a willingness to send known-problematic folks packing? That’s a good starting point.