> On Jan 28, 1:11 am, Nelson Bolyard <NOnelsonS...
> > On 2010-01-27 06:18 PST, Eddy Nigg wrote:
> > I've also seen a lot of confusion in the past over who is the source if
> > signed software. A lot of people assume that the certificate issuer,
> > rather than the certificate subject, is the source of the signed software.
> > Now, we come to the immediate cases to which Eddy provided links:
> > >http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client...
> > >http://www.siteadvisor.com/sites/cnnic.net.cn
> > >http://en.wikipedia.org/wiki/China_Internet_Network_Information_Cente...
> > I cannot determine, from the information presented on those pages, if CNNIC
> > was itself the source (the signer) of the signed software, or was merely the
> > issuer of certificates that were used by other subjects to sign malware.
> > The middle of those 3 links says that CNNIC had links to another site,
> > tech.sina.com.cn, which on its face seems to be another organization.
> > This doesn't seem inconsistent with CNNIC's role as a CA.
> > I think we need to be very careful to avoid getting caught in the trap of
> > thinking of certificates as attestations of morality or competence, and
> > thinking of CAs as judges of morality or competence. If we allow the role
> > of CAs to become defined as being those judges, they will CERTAINLY FAIL.
> > So, let's define their role as doing something at which they can succeed,
> > namely attesting to binding of keys to vetted identities.
> I agree with Eddy. We are not talking about who signed this software.
> I am a Chinese internet user. CNNIC has produced a software called
> CNNIC_Zhong_Wen_Shang_Wang which is well-known malware software in
> China. Beside, I remembered that this software is signed by Verisign,
> need to confirm, because CNNIC is not a trusted root CA at that time.
> This software are usually installed by users' mistake activity. After
> installed, pop-up windows, ADs, force IE homepage and etc. are all
> coming. And it's very difficult to uninstall.
> I don't know whether current verison of this software is still
> malware. But you can also found some infomation from google by
> searching "cnnic malware" (without quotes), or you can found some
> Chinese people around you to search "CNNIC 中文上网" (http://www.google.com/search?hl=en&source=hp&q=CNNIC+%E4%B8%AD%E6%96%...
> ). Almost all results are relative to "How can I uninstall the d*mn
> I don't know whether this certificate will be used for phishing SSL
> session in future. But I think the worries are reasonable, because of
> the internet censorship in China and GFW project.
> Given this organization's past behavior, I personally untrust this
> http://en.wikipedia.org/wiki/Golden_Shield_Project (GFW)
So please checkout what people are saying about CNNIC on twitter. A
not trusted organization should never be trust by browsers.