>> As far as I understand it, without an explicit whitelist nothing would >> prevent CNNIC to backdate new certificates so that they would be >> accepted. Is this right or am I missing something? > > Well, if anyone detects them doing this, by e.g. scanning the internet, > the consequences will be serious. I have no reason to believe that they > would backdate certs but if they did, they would need to be very > confident that no-one would notice. If I owned CNNIC, I would not be at > all confident of this.
Is there really a way we could notice this? Other than a leak from an employee at CNNIC...
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
