On 27/03/15 19:09, Peter Kurrasch wrote:
1) Mozilla could refuse to validate any intermediate cert which CNNIC
has issued to a subordinate CA. (Note: I'm not sure that's the
technically precise term here.) Basically, CNNIC may issue
intermediates for itself but those paths going outside their
After some further thought on this issue, I would like to propose the
following course of action:
1. Remove the CNNIC root certificates
2. (possibly) Temporarily add the CNNIC intermediate certificates
Removing the CNNIC root certificates reflects the seriousness of the breach
of trust that
Please ignore.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 30/03/15 16:34, Richard Barnes wrote:
Adding the intermediates would allow CNNIC to continue to issue end-entity
certificates, and not penalize site owners immediately (as Peter notes).
However, it would prevent the acceptance of other intermediates, since the
improper issuance of
On Mon, Mar 30, 2015 at 11:34:40AM -0400, Richard Barnes wrote:
The underlying issue here is that CNNIC, apparently deliberately, violated
the BRs, Mozilla policy, and its own CPS by issuing an intermediate without
proper vetting. For me, the most troubling aspect of this is that CNNIC
On Mon, Mar 30, 2015 at 2:22 PM, jjo...@mozilla.com wrote:
On Monday, March 30, 2015 at 8:34:47 AM UTC-7, Richard Barnes wrote:
As a compromise, however, I would be willing to add the CNNIC intermediates
to the Mozilla root list (F). [...] Rather, we should plan
to remove them after a fixed
On 03/30/2015 09:23 AM, Gervase Markham wrote:
On 30/03/15 16:34, Richard Barnes wrote:
Adding the intermediates would allow CNNIC to continue to issue end-entity
certificates, and not penalize site owners immediately (as Peter notes).
However, it would prevent the acceptance of other
On Monday, March 30, 2015 at 8:34:47 AM UTC-7, Richard Barnes wrote:
As a compromise, however, I would be willing to add the CNNIC intermediates
to the Mozilla root list (F). [...] Rather, we should plan
to remove them after a fixed time (say 6 months) or after CNNIC's
re-application is
Daniel Micay danielmi...@gmail.com writes:
CNNIC is known to have produced and distributed malware for the purpose of
mass surveillance and censorship.
TeliaSonera aided totalitarian governments, Comodo provided the PrivDog MITM
software, and that's just the first two off the top of my head.
If
Matt Palmer mpal...@hezmatt.org writes:
However, given that CNNIC felt it appropriate to violate their CPS with
regards to an intermediate CA certificate, I don't see that there's any
greater reason to trust their adherence to their CPS in any other aspect.
Thus, I'm not not keen on allowing them
On 30/03/15 10:32 PM, Peter Kurrasch wrote:
Your's is certainly one viewpoint, Daniel. Just the same, there is
nothing wrong with more nuanced perspectives.
I'm not sure how allegations of racial bias and hypocrisy with little
basis are a perspective. It's a weak attempt to discredit people
On 30/03/15 10:41 PM, Daniel Micay wrote:
On 30/03/15 10:32 PM, Peter Kurrasch wrote:
Your's is certainly one viewpoint, Daniel. Just the same, there is
nothing wrong with more nuanced perspectives.
I'm not sure how allegations of racial bias and hypocrisy with little
basis are a
On 30/03/15 09:34 PM, Peter Gutmann wrote:
Matt Palmer mpal...@hezmatt.org writes:
However, given that CNNIC felt it appropriate to violate their CPS with
regards to an intermediate CA certificate, I don't see that there's any
greater reason to trust their adherence to their CPS in any other
On 30/03/15 10:08 PM, Peter Gutmann wrote:
Daniel Micay danielmi...@gmail.com writes:
CNNIC is known to have produced and distributed malware for the purpose of
mass surveillance and censorship.
TeliaSonera aided totalitarian governments, Comodo provided the PrivDog MITM
software, and
14 matches
Mail list logo
