On 7/26/13 11:15 PM, jeffwang....@gmail.com wrote:
Because: The Mainland's people know,the CNNIC is a branch unit of Chinese Acadmy of
Science,a ministerial level government organization of the Central Government of
China,name as "The State Council of the people's Republic of China"
So:CNNIC is not a NGO as Liu Yan's saying.
Because:CNNIC is controlled by The State Council of the people's Republic of
China
So: "CNNIC ROOT" CA is not trusted by The people in the mainland,so do I.
So:"CNNIC ROOT" could be used on the bad ways,such as:steal the password by
forge a cert on G*r*e*a*t*F*i*r*e*W*a*l*l,etc.
So:plz del the "CNNIC ROOT" from NSS for usr safety!
This has been discussed extensively in the mozilla.dev.security.policy
forum.
https://groups.google.com/d/msg/mozilla.dev.security.policy/xx8iuyLPdQk/JZtNE0GgucMJ
We recently added policy to help deter against CAs being compelled (e.g.
by their government) to mis-issue certificates -- see item #3 of
http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html
While Mozilla’s policy already stated that Mozilla may take any steps we
deem appropriate to protect our users, the additional policy clarifies
that knowing or intentionally mis-issuing a certificate may result in
disablement or removal of all of the CA's certificates from NSS.
To date, we have not found evidence of CNNIC behaving badly as a CA.
If it is found that CNNIC (or any other CA) has knowingly or
intentionally mis-issued a certificate, then that will be grounds for
removing their root certs from NSS.
As with all included CA root certificates, users may over-ride the
default root certificate settings and turn off the trust bits, as
described here:
https://wiki.mozilla.org/CA:UserCertDB#Changing_Root_Certificate_Trust_Bit_Settings
Kathleen
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto