This is Percy from GreatFire.org. We have long advocated for the revoking of CNNIC. https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=site%3Agreatfire.org%20cnnic
If CNNIC were to re-included, CT MUST be implemented. Name constrains to .cn is strongly recommended. Is it possible to include additional CA checks for CNNIC? For example, if a website is signed by both verisign and CNNIC in a short period, it will be flagged for manual renew. The fraudulent Google cert is discovered by Chrome in a similar fashion. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
