裡面有提到 CA/Browser Forum 的決議，要求各瀏覽器支援 DNS CAA：
On March 8, 2017, the Certification Authority and Browser Forum (CA/Browser Forum) mandated that by September 8, 2017, CA’s are expected to check for the presence of a CAA DNS record and, if present, refuse issuance of certificates unless they find themselves on the whitelist <https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/>.
DNS CAA 可以設定哪些 SSL certificate 可以發出你的證書，除了自己以外，也可以讓第三者比較容易確認是否有誤發的行為：
We have seen a lot of interest in Amazon Route 53 support for Certification Authority Authorization (CAA) records, which let you control which certificate authorities (CA) can issue certificates for your domain name.
在 Twitter 上看到的：
Chrome will fully distrust WoSign and StartCom in Chrome 61; beta in July, stable in September. https://t.co/5fnda6aUQw
— Ivan Ristic (@ivanristic) July 7, 2017
對 WoSign 與 StartCom 的移除會發生在 61 版，而依照「Final removal of trust in WoSign and StartCom Certificates」這邊的說明，stable 應該會在九月出 61 版而生效：
Based on the Chromium Development Calendar, this change should be visible in the Chrome Dev channel in the coming weeks, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017.
Wildcard SSL Certificate 會需要走新的 ACME v2 協定認證：
Wildcard certificates will be offered free of charge via our upcoming ACME v2 API endpoint. We will initially only support base domain validation via DNS for wildcard certificates, but may explore additional validation options over time.
跟前陣子提到的「ACME v2 API Endpoint Coming January 2018」是相同的時間。
微軟這幾天推出更新，IE 與 Edge 將不會接受 SHA-1 憑證：「Microsoft Makes it Official, Cuts off SHA-1 Support in IE, Edge」。微軟的公告則是在「Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11」這邊。
根憑證不受影響 (所以企業自己產生的 Root CA 也不受影響)：
Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates.
Netflix 因為想用 Name Constraints，所以決定自己跳出來推廣了：「BetterTLS - A Name Constraints test suite for HTTPS clients」。
就是在 CA 上可以綁定條件，只允許哪些 domain 可以被發放：
網站在「BetterTLS: Name Constraints」這邊可以看。
CA/Browser 通過提案，要求以後 CA 單位都要檢查 DNS CAA record 才能發放憑證 (RFC 6844 的「DNS Certification Authority Authorization (CAA) Resource Record」)：「Ballot 187 - Make CAA Checking Mandatory」。
Certificate Authority Authorization (CAA) is a DNS Resource Record defined in RFC 6844 – https://datatracker.ietf.org/doc/rfc6844/ , published in January 2013. It allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain and, by implication, that no other CAs are authorized.
透過 DNS CAA 資料，你可以限制只有誰可以發你的憑證，直接用白名單做控管。
所以將會從本來的 39 個月降到 27 個月左右，所以現在買得到最長的 certificate 會有 3 年，以後會有 2 年：
Recent Ballot 185 demonstrated a consensus among Forum members to reduce the maximum lifetime for DV and OV certificates from 39 months to 825 days (roughly 27 months). This ballot reflects that consensus, and also reduces the maximum period for reuse of vetting data for DV and OV certificates from 39 months to 27 months.
As announced last fall, we’ve been disabling SHA-1 for increasing numbers of Firefox users since the release of Firefox 51 using a gradual phase-in technique. Tomorrow, this deprecation policy will reach all Firefox users. It is enabled by default in Firefox 52.