Account Options

  1. Sign in
The old Google Groups will be going away soon.
Switch to the new Google Groups.
Google Groups Home
« Groups Home
mozilla.dev.security.policy
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion CNNIC Root Inclusion
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Johnathan Nightingale  
View profile  
 More options Jan 28 2010, 11:07 am
Newsgroups: mozilla.dev.security.policy
From: Johnathan Nightingale <john...@mozilla.com>
Date: Thu, 28 Jan 2010 11:07:09 -0500
Local: Thurs, Jan 28 2010 11:07 am
Subject: Re: CNNIC Root Inclusion
Print | View thread | Show original | Report this message | Find messages by this author
On 27-Jan-10, at 9:14 AM, Eddy Nigg wrote:

> I was made aware of some controversial issues regarding the  
> inclusion of the CNNIC Root. Please see comments https://bugzilla.mozilla.org/show_bug.cgi?id=476766
> #c18 and the item thereafter.

> Even though this is mostly a technical forum, Mozilla might have an  
> opinion in this respect. Kathleen, could you please follow up at the  
> appropriate channels regarding the claims made as it might affect  
> the Mozilla CA policy section 4 and 6, maybe also others.

So, I have a couple reactions here:

1) We have never claimed as a matter of policy that our PKI decisions  
can protect people from malicious governments. It's just not a  
plausible promise for us to make.
2) I think, regardless of government ties, we'd carefully review and  
might well yank trust for any CA that was complicit in MitM attacks.
3) CNNIC complied with our root addition policy, they are in the  
product presently, so this isn't a question of approval, this is a  
question of whether we should review.

It feels to me like that makes our next step clear, here. It won't  
help to tally up the complainants (there will be many), and it won't  
help to demand assurances from CNNIC (since the alleged governmental  
pressure would trump those anyhow). It certainly won't help to cite  
wikipedia.

If there's truth to the allegation, here, then it should be possible  
to produce a cert. It should be possible to produce a certificate,  
signed by CNNIC, which impersonates a site known to have some other  
issuer. A live MitM attack, a paypal cert issued by CNNIC for example.  
If anyone in a position to produce such a thing needs help  
understanding the mechanics of doing so, I'm sure this forum will help  
them.

SSL makes tampering visible to its victims. The certificate has to  
actually make it to my client before I can decide to trust it. By all  
means, let's arm people with the knowledge to detect and record such  
instances. But I don't see any clear step we can take until then.

Does that seem dismissive? I really hope not. I really don't want us  
to trust CAs that we can't actually trust, but I don't want our root  
program choosing favourites in political debates either.

J

---
Johnathan Nightingale
Human Shield
john...@mozilla.com


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google