On Wed, March 25, 2015 10:18 am, Peter Bowen wrote: > E) Enable existing CNNIC-issued certificates to continue to work but > block new ones. Two possible ways this could be done: > > 1) Code a cutoff date, and treat any certificate with a not_before > date after the cutoff date as untrusted. > > 2) Require CNNIC to provide a list of all unexpired issued > certificates, white list those certificates, and treat any others as > untrusted. > > This would not penalize those site owners who chose CNNIC but would > indicate that the lack of trust in CNNIC's processes mean that future > certificates are not trusted.
It's worth noting the technical issue with E1 is that you cannot use the not_before (which is set and signed by the CA) if you do not trust the CA. E2 differs, in that it acts as an external counter-party (much like, say, Certificate Transparency does), and thus does not rely on the CA. That is, in a hypothetical world where E1 is pursued (for any CA), the CA can simply backdate the certificate. They'd be non-compliant with the Baseline Requirements, presumably, but that is somewhat how we got here in the first place. So purely on a technical level, E2 seems to be the only viable option of the E options. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
