On 30/03/15 16:34, Richard Barnes wrote:
After some further thought on this issue, I would like to propose the
following course of action:
1. Remove the CNNIC root certificates
2. (possibly) Temporarily add the CNNIC intermediate certificates
After consideration, I want to record two
Doh! Apologies for the mix up. One of the downsides of subscribing to
the mailing list in digest mode...
-Daniel
On Wed, Apr 1, 2015 at 6:42 PM,
dev-security-policy-requ...@lists.mozilla.org wrote:
Message: 2
Date: Wed, 01 Apr 2015 15:27:18 -0700
From: Kathleen Wilson kwil...@mozilla.com
To:
CNNIC just released a declaration concerning Google's recent update:
http://www1.cnnic.cn/AU/MediaC/Announcement/201504/t20150402_52049.htm
1. The decision that Google has made is unacceptable and unintelligible to
CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’
rights
On Wed, Apr 1, 2015 at 6:44 PM, Matt Palmer mpal...@hezmatt.org wrote:
On Wed, Apr 01, 2015 at 01:35:25PM -0400, Richard Barnes wrote:
Alright, one more pass at this. After more feedback from this list
(thanks, all!) and some more conversation, I would like to propose
something stronger
On Wed, Apr 01, 2015 at 10:06:53PM -0700, Reed Loden wrote:
CNNIC just released a declaration concerning Google's recent update:
http://www1.cnnic.cn/AU/MediaC/Announcement/201504/t20150402_52049.htm
1. The decision that Google has made is unacceptable and unintelligible to
CNNIC, and
Howdy Kathleen,
I'm a bit confused. Part of Richard's proposal (Option F) is to
temporarily add CNNIC intermediates to the root store. However, you
didn't seem to offer feedback on that part of his proposal. What
precedent or procedure does this procedure draw from? Has this been
done before?
Alright, one more pass at this. After more feedback from this list
(thanks, all!) and some more conversation, I would like to propose
something stronger than my last proposal:
* Do not remove the CNNIC root, but
* Reject certificates chaining to CNNIC with a notBefore date after a
threshold
Thank you to all of you who have thoughtfully and constructively contributed to
this discussion so far. This discussion is still open, and we will continue to
appreciate your input.
I believe that the latest proposal from Richard (to reject new certificates
chaining to CNNIC roots) is in line
On Wed, Apr 01, 2015 at 01:35:25PM -0400, Richard Barnes wrote:
Alright, one more pass at this. After more feedback from this list
(thanks, all!) and some more conversation, I would like to propose
something stronger than my last proposal:
* Do not remove the CNNIC root, but
* Reject
9 matches
Mail list logo
