On Tue, Mar 31, 2015 at 02:34:45PM +1300, Peter Gutmann wrote:
> Matt Palmer <[email protected]> writes:
>
> >However, given that CNNIC felt it appropriate to violate their CPS with
> >regards to an intermediate CA certificate, I don't see that there's any
> >greater reason to trust their adherence to their CPS in any other aspect.
> >Thus, I'm not not keen on allowing them to issue *any* further trusted
> >certificates.
>
> So this is now a convenient excuse to kick out CNNIC, after the initial
> attempts to not let them in in the first place failed. I've always wondered,
> what do people have against CNNIC and Turktrust in particular? Why the
> hostility focused on just these two CAs, when there are plenty of others who
> have behaved in a far more dubious manner?
I wasn't involved in d-s-p when those previous cases were considered,
otherwise I'd have said exactly the same thing about the CAs involved in
those cases, too.
> More generally, a second informal requirement for being in a browser,
> alongside "Don't sell only a small number of certs" (to meet the TB2F
> criteria
> required by browsers if something goes wrong) seems to be "Don't be Chinese
> or
> Arab/Persian/Turkic". I don't know if any
> Russian/Byelorussian/Ukrainian/*stani CAs are present in browsers, but I'm
> guessing being one of those won't help your case either.
Or, presumably, Dutch.
- Matt
(Oooh, *good* sigmonster, have a biscuit)
--
"If a politician fixes a problem then he loses it as a campaign issue. But
if he makes the problem worse while heroically fighting against it, then
he's golden."
-- Rex Tincher
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
