On 02/04/15 12:42, Sebastian Wiesinger wrote: > the plan would be to continue allowing current certificats (perhaps > with some sort of whitelist) while not accepting new certificates. > > Could you ask Google to share their whitelist?
Until they announced, we were not aware that Google would be requesting a whitelist. It is quite possible CNNIC will supply us both with the same data. > As far as I understand it, without an explicit whitelist nothing would > prevent CNNIC to backdate new certificates so that they would be > accepted. Is this right or am I missing something? Well, if anyone detects them doing this, by e.g. scanning the internet, the consequences will be serious. I have no reason to believe that they would backdate certs but if they did, they would need to be very confident that no-one would notice. If I owned CNNIC, I would not be at all confident of this. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
