So they had a special side deal to get backdated certs? There's no way they were doing this for everybody or for "regular price" right?
CloudFlare made a deal with Comodo to issue (non-backdated) SHA-1 certificates from a "legacy" root that is mostly no longer trusted by modern clients.
Symantec and Entrust are also issuing SHA-1 certificates from "legacy" roots to large enterprises.
That's quite a nice solution.
The upside seems to be there's very little additional risk if certs are issued that "modern clients" won't accept - while still allowing "legacy clients" to commuicate with the level of security/encryption they always have.
I guess the downside is - allowing it to contniue means nobody will _ever_ upgrade or turn off "legacy client" equipment - which is probably all riddled with huge numbers of other "known exploits"... If you make it possible to put off upgrading your WindowsXP (or equivalent early 2000's linux based) POS system or industrial/SCADA gear - it'll stay around randomly switching which botnet it's DDoSing for forever...
Once a root certificate has been pulled from a root program, they stop being in scope for the root program policies and the Baseline Requirements (at least that's the common interpretation), which would prohibit SHA-1 issuance from those roots. There's been some discussion about changing this.
Obviously, all these options are not available to anyone except a handful of large companies.
EDIT: Was reading out of date info :)
~~However like some one else pointed out out of the discussion in the group looks like it was a technical bug, which is still bad, but at least not maliciously bad.~~ Gah HN why you still no do markdown....
