Hi Percy, On 24/05/15 06:19, [email protected] wrote: > This is Percy from GreatFire.org. We have long advocated for the > revoking of CNNIC. > https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=site%3Agreatfire.org%20cnnic > > If CNNIC were to re-included, CT MUST be implemented.
At the moment, Mozilla does not have an official position of support for CT - we are "watching with interest" :-) Therefore, it's not really appropriate for Mozilla to mandate CT-related things as conditions of reinclusion for CNNIC. Google, of course, does not have to follow Mozilla's trust decisions and they may impose their own conditions for re-inclusion in Chrome. > Name > constrains to .cn is strongly recommended. We are having a discussion about the general principle of name-constraining government CAs at the moment. Please read the introductory message carefully, and then you are welcome to participate. > Is it possible to include additional CA checks for CNNIC? For > example, if a website is signed by both verisign and CNNIC in a short > period, it will be flagged for manual renew. I'm not sure exactly how that would work. Who would do this check, and when, and what would they do if they found something they thought was problematic? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
