Re: Consequences of mis-issuance under CNNIC

Thu, 02 Apr 2015 07:09:50 -0700 

* Gervase Markham <[email protected]> [2015-04-02 15:42]:
> On 02/04/15 12:42, Sebastian Wiesinger wrote:
> > the plan would be to continue allowing current certificats (perhaps
> > with some sort of whitelist) while not accepting new certificates.
> > 
> > Could you ask Google to share their whitelist?
> 
> Until they announced, we were not aware that Google would be requesting
> a whitelist. It is quite possible CNNIC will supply us both with the
> same data.

Then I think it would be a good idea to cooperate with Google so that
CNNIC and other CAs take this seriously. If CNNIC doesn't give you the
the data: throw them out. If the data is bogus: throw them out.
They're the ones who have to prove that they're trustworthy again.

> > As far as I understand it, without an explicit whitelist nothing would
> > prevent CNNIC to backdate new certificates so that they would be
> > accepted. Is this right or am I missing something?
> 
> Well, if anyone detects them doing this, by e.g. scanning the internet,
> the consequences will be serious. I have no reason to believe that they
> would backdate certs but if they did, they would need to be very
> confident that no-one would notice. If I owned CNNIC, I would not be at
> all confident of this.

The problem is, I have no reason to believe that they wouldn't do it.
Why would I? They broke their CPS and now they're angry that Google
holds them responsible for it! I would like Mozilla to do the same! If
you don't want to remove their root certificate at least make damn
sure that they have no more opportunities to abuse it.

How often do we want to have CAs break the rules before they have to
learn that it hurts quite badly to do so?

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to