To update everyone following this issue, a patch implementing the strategy of only accepting certain whitelisted certificates issued by CNNIC roots is on its way to landing in mozilla-central [0]. It will be uplifted to other branches as appropriate. More details are in bug 1151512 [1].
Cheers, David Keeler [0] https://hg.mozilla.org/integration/mozilla-inbound/rev/c94a39913b47 [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1151512 On 04/02/2015 10:24 AM, Richard Barnes wrote: > Thanks for the feedback on this plan, everyone. Gerv, Kathleen, and I have > discussed it, and our judgement is that there's consensus here to move > forward with the plan as proposed: > > * Do not remove the CNNIC root, but > * Reject certificates chaining to CNNIC with a notBefore date after a > threshold date*.* > * Request that CNNIC provide a list of currently valid certificates, and > publish that list so that the community can recognize any back-dated certs > * Allow CNNIC to re-apply for full inclusion, with some additional > requirements (to be discussed on this list) > * If CNNIC's re-application is unsuccessful, then their root certificates w > ill be removed > > We may also enforce a whitelist, as suggested on the list, if it turns out > to be feasible. > > We will need to have a follow-on discussion to work out some additional > details, e.g., what conditions should be placed on CNNIC's re-inclusion. I > will send a message starting that thread later today. > > There will shortly be a post on the Mozilla Security Blog outlining this > decision, along with more background. > https://blog.mozilla.org/security/ > > Thanks again to everyone for the robust discussion here. > > --Richard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
