On Wed, Apr 1, 2015 at 5:32 PM, Rob Stradling <[email protected]> wrote:
> On 01/04/15 18:35, Richard Barnes wrote: > <snip> > >> * Request that CNNIC provide a list of currently valid certificates, and >> publish that list so that the community can recognize any back-dated certs >> > <snip> > >> This corresponds roughly to option (E) that Peter Bowen raised, and >> combines the E1 and E2 options noted by Ryan. I do not anticipate that >> we >> would make software changes to enforce a whitelist, but instead would >> rely >> on CNNIC not back-dating certificates, with the published list usable as >> a check for any certificates that the community finds (in the spirit of >> CT). >> > > Why don't you specifically require CT to be the mechanism by which this > list is published? > That's certainly an option. I didn't want to prescribe a specific mechanism in my initial proposal, since this seemed like an implementation detail. In principle, just a list of issuer/serial pairs would be sufficient to recognize bad certs, if CNNIC were uncomfortable releasing the full details. I do agree that publishing the details would be preferable. > The fact that CNNIC violated its CPS in issuing the MCS Holdings >> intermediate certificate calls into question whether they are adhering to >> their obligations more generally. The idea of this proposal is >> effectively to impose a moratorium on CNNIC issuing more certificates >> until they have assured the community that this is the case. >> > > Would it be reasonable to require CNNIC to publish all certs they issue in > the future too (at least until "they have assured the community that this > is the case") ? > That would fall under the rubric of what we as the community want to require of CNNIC before they can be re-admitted. I think that's a second discussion, after this one. --Richard > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
