As noted in our earlier conclusion with regard to CNNIC's status [1], the CNNIC roots are currently in a partially disabled state, in which certificates chaining to these roots are only to be accepted if they were issued before 1 Apr 2015. CNNIC may reapply for full inclusion following the normal process, along with any additional steps that this community decides to require of them. The purpose of this thread is to discuss what additional steps, if any, we should require.
CNNIC has already provided Mozilla with a list of certificates issued before 1 Apr 2015. We are working on publishing this list. CNNIC has also informed Mozilla that they plan to take the following steps: A. Provide a list of changes that they have made to ensure that there are no future violations of the Baseline Requirements B. Improve their management process for authorizing intermediate CAs, and lay out this improved process in their CP and CPS C. Include in this year's WebTrust audit an explicit confirmation by the auditor that these changes have been implemented and enforced Other steps that I have heard mentioned include the following: D. Require CNNIC to implement Certificate Transparency [2][3] E. Require a certain amount of time to pass before CNNIC's re-inclusion request will be considered. F. Require the re-enabled CNNIC roots to have name constraints that restrict them to TLDs for which they are authoritative. Please use this thread to comment on these options, or suggestions for other requirements. I would like to arrive at a plan in the next few weeks. Thanks, --Richard [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/qPcyC_DWlSwJ [2] http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html [3] http://tools.ietf.org/html/rfc6962 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
