Let's use an example. Suppose CNNIC issues a cert for whitehouse[dot]gov and let's further suppose that CNNIC includes this cert in the CT data since they have agreed to do that. What happens next?
Where I'm going with this is that I'm trying to figure out if agreeing to support CT is a hollow promise. It seems like it might deter bad behavior on the part of a cert issuer but it's effectiveness in that regard is limited if nobody is checking the CT logs. (By way of comparison, consider the deterrence impact of using name constraints.) Apart from this CT question, it seems to me that requiring name constraints on future submissions from CNNIC is reasonable. I don't see how they have a compelling interest to issue certs beyond Chinese domains in any sense that we would find agreeable. Original Message From: Gervase Markham Sent: Monday, April 13, 2015 2:15 PM To: Brian Smith; Richard Barnes; mozilla-dev-security-pol...@lists.mozilla.org Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Requirements for CNNIC re-application On 11/04/15 01:05, Brian Smith wrote: > If a US-based CA were in a similar situation, would we consider name > constraining them to *.com, *.org, *.net, *.us? If it were a US government CA, we could certainly constrain to .gov and ..mil. > No, because that's not > much of a constraint. For people within China and others, a name > constraint of "*.cn" isn't much different than that. I think such a > constraint gives most of the people on this list a false sense of > resolution, because we *.cn websites aren't relevant to the our > security, so constraining CNNIC to *.cn is basically equivalent to > keeping them out of the program. But, there are many millions of > people for whom the security of *.cn websites does matter, and name > constraints don't help them. What would, if you postulate a hostile DNS registry and a hostile government? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy