On Wed, March 25, 2015 7:52 pm, Peter Kurrasch wrote: > I'm not suggesting I have a firm answer in mind, but I am saying that > while we're focusing on CNNIC it doesn't seem right that the actual > perpetrator suffers no consequence.Â
Peter, Hopefully my first reply to Kathleen's message has demonstrated sufficient evidence that CNNIC has, independent of any actions MCS took, violated the BRs in several real, meaningful, and significant ways. That is, even if MCS Holdings had never placed such a certificate on a MITM device, the very act of giving MCS Holdings a certificate, and the manner in which it was done, was itself an action that failed to uphold and abide by the Baseline Requirements and CNNIC's CPS. That MCS Holdings used their certificate in a way that was non-compliant with the BRs is certainly unfortunate, but in doing so, it brought to light the even more serious seeming non-compliance of CNNIC. I think it's reasonable to first question what steps should be taken to preserve or restore trust, before discussion of how to avoid and/or mitigate such situations in the future. But let's be clear: while MCS Holdings violated their agreements (according to CNNIC), which, per Mozilla policy, reflects upon and is ultimately the responsibility of CNNIC, CNNIC independently appears to have violated even more of the Baseline Requirements, and has done so wholly independently of MCS's actions. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
