Hi Matt, On 01/04/15 23:44, Matt Palmer wrote: > I'd like to see discussion of what happens if things *don't* go according to > plan, though. The plan relies quite a bit on CNNIC's cooperation, both to > provide the list of existing certificates, as well as making (and abiding > by) the undertaking not to issue further certificates chaining to their > existing trusted roots.
No, this plan does not include them making or abiding by such an undertaking. Such certificates would not be trusted by Firefox, but they are welcome to issue them. It does require them not to _backdate_ certificates, and we will be asking for a list of currently-outstanding certificates to help ensure that this does not happen. > 1) If they refuse to provide a list of currently issued certificates; I think this is unlikely, particularly as Google have decided to require CNNIC to agree to CT for all certificates in the future, and Google's blog post suggests that they have agreed to this. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
