On 30/03/15 10:08 PM, Peter Gutmann wrote: > Daniel Micay <[email protected]> writes: > >> CNNIC is known to have produced and distributed malware for the purpose of >> mass surveillance and censorship. > > TeliaSonera aided totalitarian governments, Comodo provided the PrivDog MITM > software, and that's just the first two off the top of my head.
Any CA demonstrating a high level of incompetent or malicious behaviour should be removed. If you really wanted this, then I doubt you'd be using whataboutism as a defense against it. In a thread about removing Comodo, someone else would just point out that CNNIC was not removed for doing the same thing... it's a nonsensical fallacy. >> If you have solid evidence that other CAs do this, feel free to present and >> I'll be a loud supporter of ripping out their certificates too. > > We'll start with Comodo then, shall we? [0]. The topic at hand here is CNNIC. You're free to start another thread about Comodo. If they're shown to have egregiously violated policies as is the case here, then clearly they should be removed. The decision about which CAs to include is ultimately a political one, except when it comes to policy violations. The fact that some of them are malware outfits is a strong reason to exclude them, but that all depends on the political views of the people making the call. On the other hand, choosing not to enforce the industry standard policies is just cut and dry negligence. If there are known violations and no response to it, then Mozilla is liable for anything that goes wrong.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
