I'm very much in favor of Option A. If a CAs doesn't follow the Baseline Requirements, they don't get included. Simple as that. If we continue to waver on these requirements, we should really rename them to Baseline Guidelines.
The websites that currently chain to CNNIC's roots will have to switch to another CA that actually follows the Requirements. Perhaps a bit stressful for a short period of time, but definitely worth setting the precedent that all root CAs must follow the Requirements if they are to remain in the trust store. -Daniel On Wednesday, March 25, 2015 at 10:13:25 AM UTC-7, Kathleen Wilson wrote: > All, > > I appreciate your thoughtful and constructive feedback on this situation. > > The suggestions regarding the CNNIC root certificates that I've > interpreted from this discussion are as follows. These are listed in no > particular order, and are not necessarily mutually exclusive. > > A) Remove both of the CNNIC root certificates from NSS. This would > result in users seeing an over-rideable Untrusted Connection error. > (Error code: sec_error_unknown_issuer) > > B) Take away EV treatment (green bar) from the "China Internet Network > Information Center EV Certificates Root" certificate. Note that the > "CNNIC ROOT" certificate is not enabled for EV treatment. > > C) Constrain the CNNIC root certificates to certain domains (e.g. .cn > and .china) > > D) Suspend inclusion of (i.e. temporarily remove) the CNNIC root > certificates until they have implemented CT, updated their CP/CPS to > resolve the noted issues, updated their systems to enable issuing certs > with name constraints, and have been re-audited. > > Did I miss any? > > Thanks, > Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
