On Tue, May 26, 2015 at 5:50 AM, Gervase Markham <[email protected]> wrote:
> On 24/05/15 06:19, [email protected] wrote: > > This is Percy from GreatFire.org. We have long advocated for the > > revoking of CNNIC. > > > https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=site%3Agreatfire.org%20cnnic > > > > If CNNIC were to re-included, CT MUST be implemented. > > At the moment, Mozilla does not have an official position of support for > CT - we are "watching with interest" :-) Therefore, it's not really > appropriate for Mozilla to mandate CT-related things as conditions of > reinclusion for CNNIC. > We should be careful we don't don't turn that into "Mozilla doesn't implement CT, so Mozilla has to allow CNNIC back in without requiring CT, even if it would be clearly less safe to do so." A better interpretation would be "Mozilla can't let CNNIC back in until it implements CT or similar, because doing so would be clearly less safe." By the way, what is Firefox's market share in China and other places that commonly use CNNIC-issued certificates? My understanding is that it is close to 0%. That's why it was relatively easy to remove them in the first place. It also means that there's no need to rush to add them back, AFAICT. Cheers, Brian _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
