>> 1) We have never claimed as a matter of policy that our PKI decisions
>> can protect people from malicious governments. It's just not a
>> plausible promise for us to make.
>> 2) I think, regardless of government ties, we'd carefully review and
>> might well yank trust for any CA that was complicit in MitM attacks.
>> 3) CNNIC complied with our root addition policy, they are in the
>> product presently, so this isn't a question of approval, this is a
>> question of whether we should review.

>> It feels to me like that makes our next step clear, here. It won't
>> help to tally up the complainants (there will be many), and it won't
>> help to demand assurances from CNNIC (since the alleged governmental
>> pressure would trump those anyhow). It certainly won't help to cite
>> wikipedia.

>> If there's truth to the allegation, here, then it should be possible
>> to produce a cert. It should be possible to produce a certificate,
>> signed by CNNIC, which impersonates a site known to have some other
>> issuer. A live MitM attack, a paypal cert issued by CNNIC for example.
>> If anyone in a position to produce such a thing needs help
>> understanding the mechanics of doing so, I'm sure this forum will help
>> them.

>> SSL makes tampering visible to its victims. The certificate has to
>> actually make it to my client before I can decide to trust it. By all
>> means, let's arm people with the knowledge to detect and record such
>> instances. But I don't see any clear step we can take until then.

>> Does that seem dismissive? I really hope not. I really don't want us
>> to trust CAs that we can't actually trust, but I don't want our root
>> program choosing favourites in political debates either.

> Thanks Johnathan for your response and guidance. I believe there isn't
> an easy solution unfortunately for those affected and neither for
> Mozilla. I think it's correct that we should stick to the technical
> requirements and facts, but act upon them swiftly if any evidence is
> presented that might infringe on the Mozilla CA policy.

> Currently section #4 of the policy come to mind, in particular
> "knowingly issue certificates that appear to be intended for fraudulent
> use." If CNNIC is directly branded by anti-virus and other safe-guarding
> groups as a source for distributing mal-ware, there might be a problem.

> Additionally section #6 calls for "provide some service relevant to
> typical users of our software products", apparently for some this root
> presents for them a disservice. I don't know how to evaluate that or
> what to recommend, but I believe it's worth to look at it and listen
> carefully to complaints.

> More disturbing however is, that apparently this news group can't be
> accessed according to
> https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c28
> This makes participation here difficult and I wonder if this happened on
> purpose. Such a fact would have made our process and public comments
> period void of any value and if the allegations are correct we could
> call for annulling  the previous decision taken here. The purpose of the
> public comments period is to voice amongst others the concerns we are
> hearing today. If those rights were withheld for a large group affected
> by this root inclusion and/or the proceedings here were not known to
> them, it could  present a valid reason to reconsider the previously made
> decision.

>     * publicly disclose information about their policies and business practices