| Your's is certainly one viewpoint, Daniel. Just the same, there is nothing wrong with more nuanced perspectives. ________________________________________________________________________ From: Daniel Micay <[email protected]> Date: Mon Mar 30 2015 21:29:04 GMT-0500 (Central Daylight Time) On 30/03/15 10:08 PM, Peter Gutmann wrote: > Daniel Micay <[email protected]> writes: > >> CNNIC is known to have produced and distributed malware for the purpose of
>> mass surveillance and censorship. > > TeliaSonera aided totalitarian governments, Comodo provided the PrivDog MITM
> software, and that's just the first two off the top of my head. Any CA demonstrating a high level of incompetent or malicious behaviour
should be removed. If you really wanted this, then I doubt you'd be using whataboutism as a defense against it. In a thread about removing
Comodo, someone else would just point out that CNNIC was not removed for
doing the same thing... it's a nonsensical fallacy. >> If you have solid evidence that other CAs do this, feel free to present and
>> I'll be a loud supporter of ripping out their certificates too. > > We'll start with Comodo then, shall we? [0]. The topic at hand here is CNNIC. You're free to start another thread about Comodo. If they're shown to have egregiously violated policies as
is the case here, then clearly they should be removed. The decision about which CAs to include is ultimately a political one,
except when it comes to policy violations. The fact that some of them are malware outfits is a strong reason to exclude them, but that all depends on the political views of the people making the call. On the other hand, choosing not to enforce the industry standard policies is just cut and dry negligence. If there are known violations and no response to it, then Mozilla is liable for anything that goes wrong. |
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
