Hi Richard, Is the proposal to limit CNNIC roots to only .cn domains or would others be allowed?
I'm curious to know what CNNIC's perspective is on this proposal, so will a representative be replying in this forum? Thanks. Original Message From: Richard Barnes Sent: Monday, March 23, 2015 5:48 PM To: [email protected] Subject: Consequences of mis-issuance under CNNIC Dear dev.security.policy, It has been discovered that an intermediate CA under the CNNIC root has mis-issued certificates for some Google domains. Full details can be found in blog posts by Google [0] and Mozilla [1]. We would like to discuss what further action might be necessary in order to maintain the integrity of the Mozilla root program, and the safety of its users. There have been incidents of this character before. When ANSSI issued an intermediate that was used for MitM, name constraints were added to limit its scope to French government domains. When TurkTrust mis-issued intermediate certificates, they changed their procedures and then they were required to be re-audited in order to confirm their adherence to those procedures. We propose to add name constraints to the CNNIC root in NSS to minimize the impact of any future mis-issuance incidents. The “update procedures and re-audit” approach taken with TurkTrust is not suitable for this scenario. Because the mis-issuance was done by a customer of CNNIC, it’s not clear that updates to CNNIC’s procedures would address the risks that led to this mis-issuance. We will follow up this post soon with a specific list of proposed constraints. Please send comments to this mailing list. We would like to have a final plan by around 1 April. Thanks, --Richard [0] http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html [1] https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
