> Technically, this is true. I just find it odd that the offending > certificate suggests a relationship with a non-Chinese market, while > at the same time, Richard's data only shows the top gTLDs and various > China-related TLDs.
Why would the Chinese military directly implicate China for a certificate issued to perform MITM attacks? It wouldn't make sense. They're obviously going to make it look like it was some company a long way away with no ties to them. Perhaps they even sold some real products to make the business look legitimate. This is how the world works in 2015. If CNNIC expects to be trusted again, they have to prove that they're not doing this on a regular basis. They should have to re-apply to the trust store once they've implemented CT so the claim that they're not simply being used as a tool for the Chinese military can be disproved.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy