On 4/2/15 10:24 AM, Richard Barnes wrote:
Thanks for the feedback on this plan, everyone. Gerv, Kathleen, and I have
discussed it, and our judgement is that there's consensus here to move
forward with the plan as proposed:
* Do not remove the CNNIC root, but
* Reject certificates chaining to CNNIC with a notBefore date after a
threshold date*.*
* Request that CNNIC provide a list of currently valid certificates, and
publish that list so that the community can recognize any back-dated certs
* Allow CNNIC to re-apply for full inclusion, with some additional
requirements (to be discussed on this list)
* If CNNIC's re-application is unsuccessful, then their root certificates w
ill be removed
We may also enforce a whitelist, as suggested on the list, if it turns out
to be feasible.
We will need to have a follow-on discussion to work out some additional
details, e.g., what conditions should be placed on CNNIC's re-inclusion. I
will send a message starting that thread later today.
There will shortly be a post on the Mozilla Security Blog outlining this
decision, along with more background.
https://blog.mozilla.org/security/
Thanks again to everyone for the robust discussion here.
--Richard
We published a security blog about this:
https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/
As Richard said, we'll start separate thread to discuss the details of
implementing this plan.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
