On 3/23/2015 5:59 PM, Peter Kurrasch wrote: > Hi Richard, > > Is the proposal to limit CNNIC roots to only .cn domains or would others be > allowed? > > I'm curious to know what CNNIC's perspective is on this proposal, so will a > representative be replying in this forum? > > Thanks. > > Original Message > From: Richard Barnes > Sent: Monday, March 23, 2015 5:48 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Consequences of mis-issuance under CNNIC > > Dear dev.security.policy, > > It has been discovered that an intermediate CA under the CNNIC root has > mis-issued certificates for some Google domains. Full details can be found > in blog posts by Google [0] and Mozilla [1]. We would like to discuss what > further action might be necessary in order to maintain the integrity of the > Mozilla root program, and the safety of its users. > > There have been incidents of this character before. When ANSSI issued an > intermediate that was used for MitM, name constraints were added to limit > its scope to French government domains. When TurkTrust mis-issued > intermediate certificates, they changed their procedures and then they were > required to be re-audited in order to confirm their adherence to those > procedures. > > We propose to add name constraints to the CNNIC root in NSS to minimize the > impact of any future mis-issuance incidents. The “update procedures and > re-audit” approach taken with TurkTrust is not suitable for this scenario. > Because the mis-issuance was done by a customer of CNNIC, it’s not clear > that updates to CNNIC’s procedures would address the risks that led to this > mis-issuance. We will follow up this post soon with a specific list of > proposed constraints. > > Please send comments to this mailing list. We would like to have a final > plan by around 1 April. > > Thanks, > --Richard > > [0] > http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html > [1] > https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/ > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy >
What assurance is there that the mis-issued certificates were not intentional. The approval of the CNNIC was quite controversial. Assertions were made that CNNIC is actually an agent of the Chinese military. -- David E. Ross I am sticking with SeaMonkey 2.26.1 until saved passwords can be used when autocomplete=off. See <https://bugzilla.mozilla.org/show_bug.cgi?id=433238>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy