Matt Palmer <[email protected]> writes: >However, given that CNNIC felt it appropriate to violate their CPS with >regards to an intermediate CA certificate, I don't see that there's any >greater reason to trust their adherence to their CPS in any other aspect. >Thus, I'm not not keen on allowing them to issue *any* further trusted >certificates.
So this is now a convenient excuse to kick out CNNIC, after the initial attempts to not let them in in the first place failed. I've always wondered, what do people have against CNNIC and Turktrust in particular? Why the hostility focused on just these two CAs, when there are plenty of others who have behaved in a far more dubious manner? Given that other certificate vending machines trusted by Mozilla have done all manner of bad things (selling certs to phishers and other criminals, selling certs for things like apple.com to multiple people who asked for them, selling thousands upon thousands of certs for internal, unqualified, and RFC 1918 domains/addresses, etc), all in violation of the BR, why the hostility directed at these two? It seems like every other CA that's been examined in any detail after problems have cropped up has shown BR compliance failures, and yet it's being used as a convenient cudgel to beat CNNIC with. They're certificate vending machines like any others, and from all the information that's been made available, what CNNIC did seems to be a genuine slip-up that affected one whole person, inside the organisation that messed up their firewall config/usage, rather than, for example, supplying certs to Russian organised crime as other vendors have done. If you're going to kick out CNNIC because of this BR-compliance issue then an awful lot of other CAs will need to go as well. If you're going to apply this "standard" then you need to apply it uniformly, not just to bash a particular CA you want to get rid of. More generally, a second informal requirement for being in a browser, alongside "Don't sell only a small number of certs" (to meet the TB2F criteria required by browsers if something goes wrong) seems to be "Don't be Chinese or Arab/Persian/Turkic". I don't know if any Russian/Byelorussian/Ukrainian/*stani CAs are present in browsers, but I'm guessing being one of those won't help your case either. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
