On 25/03/15 10:52 PM, Peter Kurrasch wrote: > MCS wants to issue their own certs eventually but they are clearly not up to > that task--not right now at least. The question I think the security > community should consider is how MCS might be able to demonstrate they have > the right level of knowledge, experience, and maturity that warrants trust in > the certs they issue. Has trust been irretrievably damaged? > > I'm not suggesting I have a firm answer in mind, but I am saying that while > we're focusing on CNNIC it doesn't seem right that the actual perpetrator > suffers no consequence.
CNNIC is an "actual perpetrator" too. They directly violated a dozen rules in the CA policy. I'd expect that they knew the certificate was being used for MITM attacks anyway... the alternative of them handing it out without knowing the purpose isn't any less frightening. MCS is free to implement Certificate Transparent, start releasing all of their audit reports in full, including ones they fail and they could open-source their infrastructure's code to prove that it's high quality and enforces the correct constraints. I'm not sure why they'd be a good candidate even after all of that when there are plenty of others with no history of black hat behavior.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy