I seriously think you guys are following google off a cliff mission here. China has a enormous internet population and enormous number of websites. Yes CNNIC acted like a dangerous kid. But you really think making all Chinese unable to do any online transaction is the solution we want to push?
It would be a golden opportunity for Chinese gov to push for a "home-grown browser that is not under the control of western imperialism governments" for sure. We can advocate the problem through Mozilla community in China, understand that the impact is minimal. But then again, with Mozilla's market in china, not much we can do that will be significant. My suggestion: follow IE, Microsoft said they will do something, and they have the largest market share in China. Seriously, stop following Chrome, in doing pretty much anything. On Monday, March 23, 2015 at 6:48:10 PM UTC-4, Richard Barnes wrote: > Dear dev.security.policy, > > It has been discovered that an intermediate CA under the CNNIC root has > mis-issued certificates for some Google domains. Full details can be found > in blog posts by Google [0] and Mozilla [1]. We would like to discuss what > further action might be necessary in order to maintain the integrity of the > Mozilla root program, and the safety of its users. > > There have been incidents of this character before. When ANSSI issued an > intermediate that was used for MitM, name constraints were added to limit > its scope to French government domains. When TurkTrust mis-issued > intermediate certificates, they changed their procedures and then they were > required to be re-audited in order to confirm their adherence to those > procedures. > > We propose to add name constraints to the CNNIC root in NSS to minimize the > impact of any future mis-issuance incidents. The "update procedures and > re-audit" approach taken with TurkTrust is not suitable for this scenario. > Because the mis-issuance was done by a customer of CNNIC, it's not clear > that updates to CNNIC's procedures would address the risks that led to this > mis-issuance. We will follow up this post soon with a specific list of > proposed constraints. > > Please send comments to this mailing list. We would like to have a final > plan by around 1 April. > > Thanks, > --Richard > > [0] > http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html > [1] > https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
