Richard Barnes <rbar...@mozilla.com> wrote: >> My argument is that if we think that CNNIC is likely to cause such >> mis-issuance to occur because it runs the registry for those TLDs, >> then there should be additional controls in place so that control over >> those registries won't result in misissuance. > > Constraining what a registry can do for names over which it is authoritative > is exactly what things like pinning and CT are for. So maybe what you're > actually saying is that there should be a requirement for CT as a check on > CNNIC's ability to issue even for names for which they are authoritative?
Yes. If a US-based CA were in a similar situation, would we consider name constraining them to *.com, *.org, *.net, *.us? No, because that's not much of a constraint. For people within China and others, a name constraint of "*.cn" isn't much different than that. I think such a constraint gives most of the people on this list a false sense of resolution, because we *.cn websites aren't relevant to the our security, so constraining CNNIC to *.cn is basically equivalent to keeping them out of the program. But, there are many millions of people for whom the security of *.cn websites does matter, and name constraints don't help them. Also, given how things seem to go in China, it seems reasonable to expect some authorities in China to react to removal or limiting CNNIC by blocking Let's Encrypt from operating correctly for *.cn and/or for servers operating in China. Consequently, I'm doubting that building a wall is ultimately what's best in the long term. The advantage of the CT-based approach is that it avoids being such a wall. Cheers, Brian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
