On 08/04/15 01:31, Richard Barnes wrote: > decides to require of them. The purpose of this thread is to discuss what > additional steps, if any, we should require. > > CNNIC has already provided Mozilla with a list of certificates issued > before 1 Apr 2015. We are working on publishing this list. CNNIC has also > informed Mozilla that they plan to take the following steps:
> D. Require CNNIC to implement Certificate Transparency [2][3] The Google blogpost that you reference says "CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion." So, assuming CNNIC are also interested in being re-enabled in Chrome, it seems like there is no need for Mozilla to require this - CNNIC will be doing it anyway. Every certificate they issue will be publicly logged. > E. Require a certain amount of time to pass before CNNIC's re-inclusion > request will be considered. I think there is value in this. If CNNIC know that a reinclusion request will not be considered for at least time period X, that removes from them the temptation to rush the work they need to do in order to be ready as soon as possible. > F. Require the re-enabled CNNIC roots to have name constraints that > restrict them to TLDs for which they are authoritative. As far as I can see, CNNIC is the registry for five TLDs: ..cn ..xn--fiqz9s (.中國; .china in traditional characters) ..xn--fiqs8s (.中国; .china in simplified characters) ..xn--io0a7i (.网络; basically .net in Chinese) ..xn--55qx5d (.公司; basically .com in Chinese) https://www.iana.org/domains/root/db/cn.html https://www.iana.org/domains/root/db/xn--fiqz9s.html https://www.iana.org/domains/root/db/xn--fiqs8s.html https://www.iana.org/domains/root/db/xn--io0a7i.html https://www.iana.org/domains/root/db/xn--55qx5d.html If we take the position that CNNIC is effectively a government CA, then that would suggest (if we take this route) restricting them to the first three on that list. However, it makes no sense to prevent a CA issuing certs for TLDs for which it is also the organization which controls the DNS, given the many ways of validating cert issuance which directly or indirectly use the DNS. So that would suggest restricting them to all five. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy