> B) Take away EV treatment (green bar) from the "China Internet Network > Information Center EV Certificates Root" certificate. Note that the > "CNNIC ROOT" certificate is not enabled for EV treatment.
The lock indicating a secure connection can be taken away completely, while still leaving authenticated encryption in-place. I mentioned the EV bar because Chromium took it away for lack of CT. I think removal would be better, but if removal isn't a viable option due to breakage then indicating that the connections aren't secure is a solid step forward. It won't break anything but is still a meaningful consequence for breaking the policies and informs users - not as well as a scary warning page saying the cert isn't trusted, but much better than doing nothing.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
