Chinese Root Certificates
David E. Ross
> China has ordered its banks and other major companies to limit
> use of foreign computer security technology, setting up a possible
> trade clash with the United States and Europe while adding to
> strains over high-tech secrecy as some nations threaten to curtail
> BlackBerry service.
>
> Beijing's restrictions cite security concerns but are also
> consistent with its efforts to build up Chinese technology
> industries by shielding them from competition and pressing global
> rivals to hand over know-how.
Perhaps Mozilla should respond by limiting its use of Chinese root
certificates.
The entire Boston Globe article is at
<http://www.boston.com/business/technology/articles/2010/08/25/china_sets_up_new_battle_over_computer_security/>.
(I don't know how long that link will remain valid.) I first saw this
in the Los Angeles Times hardcopy edition, but I cannot find it in the
Times online edition.
--
David E. Ross
<http://www.rossde.com/>
I filter and ignore all newsgroup messages posted through
GoogleGroups via Google's G2/1.0 user agent because of the
amount of spam from that source.
Eddy Nigg
> I do think that Chinese root certificates should be limited, but for
> other reasons that are more directly related to Mozilla users and
> promises made in the Cert Policy.
I don't think this should be generalized just for a specific countries
like China, instead national(ized) CAs should be limited to their
specific TLD if a legitimate concern exists. This could include the
limitations to perform validations outside of the country or by pure
choice of their target audience and relevant legislation.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
David E. Ross
> On 08/27/2010 11:42 PM, From Stephen Schultze:
>> I do think that Chinese root certificates should be limited, but for
>> other reasons that are more directly related to Mozilla users and
>> promises made in the Cert Policy.
>
> I don't think this should be generalized just for a specific countries
> like China, instead national(ized) CAs should be limited to their
> specific TLD if a legitimate concern exists. This could include the
> limitations to perform validations outside of the country or by pure
> choice of their target audience and relevant legislation.
>
From the news article, I got the impression that the Chinese government
will restrict or even prohibit the domestic use of non-Chinese browsers
for use in financial and other secure transactions. If that is indeed
the situation, why should Mozilla and Mozilla-based products contain
root certificates that are intended primarily for such transactions?
--
David E. Ross
<http://www.rossde.com/>.
Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation.
© 1997 by David E. Ross
Kurt Seifried
> will restrict or even prohibit the domestic use of non-Chinese browsers
> for use in financial and other secure transactions. If that is indeed
> the situation, why should Mozilla and Mozilla-based products contain
> root certificates that are intended primarily for such transactions?
I see several flaws in your reasoning:
1) That there is some cohesive "pro US" (for lack of a better term)
belief system that says China is the "enemy" and that you must engage
in a zero-sum tit for tat prisoners dilemma style conflict. That
protectionism must be met with retaliation (usually in the form of
more protectionism, trade barriers, tariffs, etc.). I suspect this is
not universally true (although there are loud elements in the US that
subscribe to this).
2) That Mozilla is primarily a US project and subscribes to the above
belief system. I suspect this is not true (and as far as I can tell
apart from you there are no loud elements subscribing to this).
3) That even if the above were true that engaging in tit for tat
protectionism (you won't allow our CAs, we won't allow your CAs) would
someone end in the Chinese government going "wow... we were wrong.
Let's stop doing this". If you end goal is to engage China and bring
them into the global economy (aka globalism) then shutting them out is
probably not the best way to accomplish this.
I suspect what is true is that some sense of fair play or whatever has
been offended and there is a desire to lash out and somehow extract
retribution from the offending party.
I doubt that much (if any) of the Mozilla people hold this view (but
they're welcome to correct me!).
Can we please put aside this silliness?
--
Kurt Seifried
ku...@seifried.org
tel: 1-703-879-3176
Nelson Bolyard
>> From the news article, I got the impression that the Chinese government
>> will restrict or even prohibit the domestic use of non-Chinese browsers
>> for use in financial and other secure transactions. If that is indeed
>> the situation, why should Mozilla and Mozilla-based products contain
>> root certificates that are intended primarily for such transactions?
>
> I see several flaws in your reasoning:
>
> 1) That there is some cohesive "pro US" (for lack of a better term)
> belief system that says China is the "enemy"
Kurt,
I suspect you've misunderstood the intent of David's proposal.
I believe David's position isn't based on protectionism of any country.
I believe his desire is to reward countries that encourage free and open
flow of information, and punish those that don't, by limiting their
ability to promote international trade from their merchants. I think
his message would be "if you want your merchants to be able to sell
internationally, you must allow your citizens to have access to
unfiltered information."
But I think that cutting off the flow of information isn't the right way
to promote the free and open flow of information. :-/
Eddy Nigg
> But I think that cutting off the flow of information isn't the right way
> to promote the free and open flow of information. :-/
In any case entering into politics can become very quickly a slippery
slope. I think we shouldn't go there....
However I do believe that is room for thought regarding declared
governmental CAs or those acting on behalf of a government. This would
affect all such CAs equally.
Steve Schultze
> On 08/28/2010 07:58 PM, From Nelson Bolyard:
>> But I think that cutting off the flow of information isn't the right way
>> to promote the free and open flow of information. :-/
>
> In any case entering into politics can become very quickly a slippery
> slope. I think we shouldn't go there....
>
> However I do believe that is room for thought regarding declared
> governmental CAs or those acting on behalf of a government. This would
> affect all such CAs equally.
Agreed on all points.
I would add to the list reconsideration of CAs which are subject to
jurisdiction of regimes that have demonstrated a willingness and ability
to force those under their control to compromise security without
reasonable judicial oversight. This is also a generalizable principle
not specific to any country (and, I think, consistent with Mozilla's
security principles).
Robin Lin
The Chinese Root Certificate is bad for user which is willing to
verify the root certificate identity by viewing the certificate
content. For me, I can easily to verify the Chinese root certificate
subject DN to decide that I should trust it or not, even the root
certificate is added to the trust store of Mozilla. I am not sure
every Mozilla user will view the certificate content to make the
decission wheather this root should be trust or not. That's why every
root CA has to passed the examnation of Mozilla open review after
passed the WebTrust Audit.
My suggestion is get more multi-lingual professional to involve the
security discussion will be good for Mozilla Security Policy. In
Chinese world, there are many strange thing that you can never
imaging, especially in security field.
This is Robin W.T. Lin speaking, in acting of Robin Lin of TWCA in
Taiwan, which is harmed by the related CA, CNNIC, ruled by China
Government.
Robin Lin
> On 08/28/2010 07:58 PM, From Nelson Bolyard:
>
> > But I think that cutting off the flow of information isn't the right way
> > to promote the free and open flow of information. :-/
>
> In any case entering into politics can become very quickly a slippery
> slope. I think we shouldn't go there....
>
> However I do believe that is room for thought regarding declared
> governmental CAs or those acting on behalf of a government. This would
> affect all such CAs equally.
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
Everything is related with politics, however, the thing is worseed in
China about the information control. I am not sure the informaton
control is also happened in US. But the truth is, the people will be
more easy to live in US, even he/she is not the citizen of US.
Regards,
Robin Lin
Matt McCutchen
> The Chinese Root Certificate is bad for user which is willing to
> verify the root certificate identity by viewing the certificate
> content.
Did you mean "not willing"?
> For me, I can easily to verify the Chinese root certificate
> subject DN to decide that I should trust it or not, even the root
> certificate is added to the trust store of Mozilla.
It's not that simple. IIUC, the site identity button only shows the
certificate under which the main HTML page was received; embedded
items could have used different certificates. And finding out about a
fraudulent certificate after the page has had the opportunity to XSS
other pages loaded from the same domain under legitimate certificates
is too late. The only viable approach is to disable roots you don't
trust.
Matt