On 23/03/15 22:47, Richard Barnes wrote: > We propose to add name constraints to the CNNIC root in NSS to minimize the > impact of any future mis-issuance incidents.
I think it's worth noting that alternative options (both more and less severe) would be considered, if people want to make a case for them. > Because the mis-issuance was done by a customer of CNNIC, it’s not clear > that updates to CNNIC’s procedures would address the risks that led to this > mis-issuance. If this is true, it has some rather alarming consequences. You are basically saying that today's certificate system does not have a suitable way to prevent a CA's customers (or, at least, their customers for intermediate certificates) from using such certificates in evil ways. (You say this when you say there's nothing CNNIC could have done differently to prevent this.) If that's true, why would any CA take the risk of ever issuing an intermediate to anyone else? If that's our view, then shouldn't we be banning the practice of CAs issuing intermediates to anyone other than themselves? Alternatively, if that's true, if CNNIC could not have done anything to prevent this, and if we are not going to ban the issuance of intermediates to third parties, then surely no blame attaches to CNNIC? That is not what I think, but it does seem like a logical consequence of your statement. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
