On 18/10/16 01:00, Nick Lamb wrote:
> As I understand it QiHoo 360 says they intend to co-operate in order
> to eventually get the new StartCom CA trusted. If they are unwilling
> to communicate with existing subscribers of both existing CAs
> effectively, it seems to me this is evidence of bad faith and
> excludes the possibility of the new CA being trusted by Mozilla (or
> in my opinion any right-thinking person).
This is a difficult call.
On the one hand, I want to stand up for the right of all browsers to
make independent decisions on who to trust, and that includes Qihoo
360's Safe Browser. And as it's perfectly possible and not in any way
unacceptable or illegal for CA to operate while not being trusted by
Mozilla, I don't think it's reasonable to interfere with thr
relationship between a CA and its customers by requiring them to make
particular forms of communication about Mozilla's level of trust in them.
On the other hand, Qihoo 360 do have a conflict of interest when making
trust decisions about the CAs that they own.
It is not clear what Qihoo plans to do about WoSign. For StartCom, they
plan to rebuild or review all of its systems to remove the influence of
WoSign-authored code, which is agreed to be of poor quality. It would
certainly be a statement of how Qihoo 360 views security, as to whether
StartCom continued to issue certs during this process or whether they
suspended issuance until it was done.
I guess I would say the following to Qihoo 360, without knowing what
they plan to do. Continuing to trust StartCom and WoSign (assuming the
other browsers popular in China do the same), and continuing to issue
certs from them while other browsers are refusing them, runs the danger
of further splitting the Chinese internet from that of the rest of the
world. One thing that's clear about the Internet is that its value to
all goes up the more connected it is. Steps which make the Chinese
internet and the rest of the world less connected are to be avoided, for
dev-security-policy mailing list