On 01/04/15 18:35, Richard Barnes wrote: <snip>
* Request that CNNIC provide a list of currently valid certificates, and publish that list so that the community can recognize any back-dated certs
<snip>
This corresponds roughly to option (E) that Peter Bowen raised, and combines the E1 and E2 options noted by Ryan. I do not anticipate that we would make software changes to enforce a whitelist, but instead would rely on CNNIC not back-dating certificates, with the published list usable as a check for any certificates that the community finds (in the spirit of CT).
Why don't you specifically require CT to be the mechanism by which this list is published?
The fact that CNNIC violated its CPS in issuing the MCS Holdings intermediate certificate calls into question whether they are adhering to their obligations more generally. The idea of this proposal is effectively to impose a moratorium on CNNIC issuing more certificates until they have assured the community that this is the case.
Would it be reasonable to require CNNIC to publish all certs they issue in the future too (at least until "they have assured the community that this is the case") ?
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
