Perhaps there is a middle ground of remedies. For consideration: 1) Mozilla could refuse to validate any intermediate cert which CNNIC has issued to a subordinate CA. (Note: I'm not sure that's the technically precise term here.) Basically, CNNIC may issue intermediates for itself but those paths going outside their organization would no longer be trusted. The root itself would remain in the trust store.
2) I don't think MCS should be trusted to issue certs no matter who provides them with intermediate authority. CNNIC should not be permitted to provide that authority but neither should anyone else. MCS fell flat on their faces here by failing to understand the PKI system and by failing to understand the proper configuration of their equipment. Mistakes in configurations are what lead to security breaches so this failure is really quite significant. Original Message From: Matt Palmer Sent: Friday, March 27, 2015 3:51 AM To: dev-security-policy@lists.mozilla.org Subject: Re:答复: 答复:Consequences of mis-issuance under CNNIC On Fri, Mar 27, 2015 at 02:41:03PM +0800, Man Ho (Certizen) wrote: > > On 3/27/2015 1:29 AM, Charles Reiss wrote: > > Although it's rather irrelevant to whether CNNIC has complied with Mozilla's > > policies: This device designed to issue certs without verifying domain > > control. > > Does CNNIC not regard this as strong evidence that MCS's agreement was made > > in > > bad faith? > > Yeah, if this device is designed to issue certificates automatically. > Why does it have this feature? The answer is obviously for traffic > monitoring. But then why Paloalto would develop such problematic feature > which violate security principle? If it is a common feature in Paloalto > firewall (or even other brands of firewalls), I'd believe that many > organizations are doing the same thing. Should firewall vendors or > developers take some responsibilities too? I don't see why -- there are legitimate(ish) reasons for wanting to do this, and within a closed ecosystem, where everyone is OK with it (or, if they're not OK with it, they'd be fired) there's no reason not to use the device. The *correct* way to deploy these devices is to generate a local root CA certificate and install that in the trust store of all devices which use the network. That is perfectly legitimate, once again, because the owner of the device gives permission to do so (typically, all devices are owned by the organisation deploying the appliance). What *is* a shady practice is what's gone on here -- MCS got a globally-trusted intermediate CA private key and cert and used that to MitM. The problem with this is that it allows MCS to intercept and inspect traffic from devices which have *not* consented to have their traffic so manipulated. A root CA which allows such an activity to take place is not, IMO, worthy of the trust placed in it by the greater public, and therefore I'm in favour of CNNIC's removal from the Mozilla trust store (preferably with one of the user-harm-minimisation strategies that others have described). - Matt -- English is about as pure as a cribhouse whore. We don't just borrow words; on occasion, English has pursued other languages down alleyways to beat them unconscious and rifle their pockets for new vocabulary." -- James D. Nicoll, resident of rec.arts.sf.written _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy