MCS wants to issue their own certs eventually but they are clearly not up to that task--not right now at least. The question I think the security community should consider is how MCS might be able to demonstrate they have the right level of knowledge, experience, and maturity that warrants trust in the certs they issue. Has trust been irretrievably damaged?
I'm not suggesting I have a firm answer in mind, but I am saying that while we're focusing on CNNIC it doesn't seem right that the actual perpetrator suffers no consequence. Original Message From: Peter Bowen Sent: Wednesday, March 25, 2015 8:26 PM To: Peter Kurrasch Cc: Daniel Micay; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Consequences of mis-issuance under CNNIC On Wed, Mar 25, 2015 at 6:24 PM, Peter Kurrasch <fhw...@gmail.com> wrote: > Someone correct me if I'm wrong, but my understanding of the Superfish > debacle is that sites that have EV certs would get the green bar treatment on > other devices but not on the Lenovo devices where Superfish was installed. > The implication, then, is that the green bar provides no improvement in > security since apparently nobody noticed it wasn't there. > > That being the case, if there is little security benefit to having the green > bar to begin with then taking it away seems...feckless? > > Besides, while CNNIC clearly made mistakes they aren't the ones who generated > a google.com cert. Seems to me some responsibility should be borne by the > folks at MCS Holdings, too. The MCS holding certificate was already revoked. What more do you want from them? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy