On Fri, Mar 27, 2015 at 02:09:41PM -0500, Peter Kurrasch wrote: > Perhaps there is a middle ground of remedies. For consideration: > > 1) Mozilla could refuse to validate any intermediate cert which CNNIC has > issued to a subordinate CA. (Note: I'm not sure that's the technically > precise term here.) Basically, CNNIC may issue intermediates for itself > but those paths going outside their organization would no longer be > trusted. The root itself would remain in the trust store.
That's not something that can be enforced technically; in theory, the certificate validation code could "whitelist" specified (and pre-arranged) intermediate CA certificates, but there's nothing that definitively says "this is an internal intermediate CA certificate" as opposed to "this is an external intermediate CA certificate", that isn't under the control of the root CA (which has already demonstrated that it can't be trusted to act in the public interest). > 2) I don't think MCS should be trusted to issue certs no matter who > provides them with intermediate authority. CNNIC should not be > permitted to provide that authority but neither should anyone else. MCS > fell flat on their faces here by failing to understand the PKI system and > by failing to understand the proper configuration of their equipment. > Mistakes in configurations are what lead to security breaches so this > failure is really quite significant. MCS Holdings is (to my knowledge) a corporate entity. However, the corporate entity wasn't the one who screwed up, so to ban the corporate entity from ever being a CA is pointless. I doubt that it would be possible to identify everyone at MCS who was in some way responsible and state that any organisation they are a part of in the future could not be a CA. Focusing on MCS is the wrong approach. CNNIC are the ones who failed to uphold the trust placed in them, and quite blatantly disregarded their own audited policies in issuing the intermediate CA certificate. They must be held to account for their actions. - Matt -- <Igloo> I remember going to my first tutorial in room 404. I was most upset when I found it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
