On 01/28/2010 06:07 PM, Johnathan Nightingale:
> 1) We have never claimed as a matter of policy that our PKI decisions
> can protect people from malicious governments. It's just not a
> plausible promise for us to make.
> 2) I think, regardless of government ties, we'd carefully review and
> might well yank trust for any CA that was complicit in MitM attacks.
> 3) CNNIC complied with our root addition policy, they are in the
> product presently, so this isn't a question of approval, this is a
> question of whether we should review.
> It feels to me like that makes our next step clear, here. It won't
> help to tally up the complainants (there will be many), and it won't
> help to demand assurances from CNNIC (since the alleged governmental
> pressure would trump those anyhow). It certainly won't help to cite
> wikipedia.
> If there's truth to the allegation, here, then it should be possible
> to produce a cert. It should be possible to produce a certificate,
> signed by CNNIC, which impersonates a site known to have some other
> issuer. A live MitM attack, a paypal cert issued by CNNIC for example.
> If anyone in a position to produce such a thing needs help
> understanding the mechanics of doing so, I'm sure this forum will help
> them.
> SSL makes tampering visible to its victims. The certificate has to
> actually make it to my client before I can decide to trust it. By all
> means, let's arm people with the knowledge to detect and record such
> instances. But I don't see any clear step we can take until then.
> Does that seem dismissive? I really hope not. I really don't want us
> to trust CAs that we can't actually trust, but I don't want our root
> program choosing favourites in political debates either.
Thanks Johnathan for your response and guidance. I believe there isn't
an easy solution unfortunately for those affected and neither for
Mozilla. I think it's correct that we should stick to the technical
requirements and facts, but act upon them swiftly if any evidence is
presented that might infringe on the Mozilla CA policy.
Currently section #4 of the policy come to mind, in particular
"knowingly issue certificates that appear to be intended for fraudulent
use." If CNNIC is directly branded by anti-virus and other safe-guarding
groups as a source for distributing mal-ware, there might be a problem.
Additionally section #6 calls for "provide some service relevant to
typical users of our software products", apparently for some this root
presents for them a disservice. I don't know how to evaluate that or
what to recommend, but I believe it's worth to look at it and listen
carefully to complaints.
More disturbing however is, that apparently this news group can't be
accessed according to
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c28
This makes participation here difficult and I wonder if this happened on
purpose. Such a fact would have made our process and public comments
period void of any value and if the allegations are correct we could
call for annulling the previous decision taken here. The purpose of the
public comments period is to voice amongst others the concerns we are
hearing today. If those rights were withheld for a large group affected
by this root inclusion and/or the proceedings here were not known to
them, it could present a valid reason to reconsider the previously made
decision.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
