On 18/10/16 01:00, Nick Lamb wrote: > As I understand it QiHoo 360 says they intend to co-operate in order > to eventually get the new StartCom CA trusted. If they are unwilling > to communicate with existing subscribers of both existing CAs > effectively, it seems to me this is evidence of bad faith and > excludes the possibility of the new CA being trusted by Mozilla (or > in my opinion any right-thinking person).
This is a difficult call. On the one hand, I want to stand up for the right of all browsers to make independent decisions on who to trust, and that includes Qihoo 360's Safe Browser. And as it's perfectly possible and not in any way unacceptable or illegal for CA to operate while not being trusted by Mozilla, I don't think it's reasonable to interfere with thr relationship between a CA and its customers by requiring them to make particular forms of communication about Mozilla's level of trust in them. On the other hand, Qihoo 360 do have a conflict of interest when making trust decisions about the CAs that they own. It is not clear what Qihoo plans to do about WoSign. For StartCom, they plan to rebuild or review all of its systems to remove the influence of WoSign-authored code, which is agreed to be of poor quality. It would certainly be a statement of how Qihoo 360 views security, as to whether StartCom continued to issue certs during this process or whether they suspended issuance until it was done. I guess I would say the following to Qihoo 360, without knowing what they plan to do. Continuing to trust StartCom and WoSign (assuming the other browsers popular in China do the same), and continuing to issue certs from them while other browsers are refusing them, runs the danger of further splitting the Chinese internet from that of the rest of the world. One thing that's clear about the Internet is that its value to all goes up the more connected it is. Steps which make the Chinese internet and the rest of the world less connected are to be avoided, for everyone's benefit. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy