转发: CNNIC and legal jurisdiction

[anyin]

Reply to the many objections,

I need state CNNIC is not government. CNNIC was founded as a non-profit organization and absolutely has nothing to do with internet restriction of Chinese government. I know many objections from people who dislike Chinese government, but this should not be a basis of acceptance nor rejection of CAs under Mozilla policy, right?

I don't see any evidence which CNNIC breaks promise to Mozilla policy, any fake Cert which CNNIC deilvered for MITM. Because we never do that.

Again, IMO, we should not discuss politics, they are not relevant with CA's acceptability.

Thanks.

Ken An

-----邮件原件-----
发件人: dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org [mailto:dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org] 代表 Stephen Schultze
发送时间: 2012年6月13日 3:29
收件人: mozilla-dev-s...@lists.mozilla.org
主题: Re: CNNIC and legal jurisdiction

On 6/11/12 6:46 AM, Gervase Markham wrote:
> On 07/06/12 16:23, Stephen Schultze wrote:
>> Unfortunately, they live and operate in a legal jurisdiction in which
>> their best intentions are undermined by the regime that governs them.
>> They are not even allowed by their government to participate directly
>> in the approval conversation we are having here.
>
> Are you saying that based on recent assertions that people inside the
> GFW cannot access this discussion, or do you have more specific
> knowledge about CNNIC employees (who may well have a non-GFW connection)?

I have no knowledge about what exceptions that CNNIC employees may have to governmental censorship. Even if they have a non-GreatFireWall connection, it's unclear whether they could "legally" use it for this purpose. Based on their lack of participation in this forum, and Kathleen's message, it seems that they either don't have access or that access is hampered:
https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/404c32c7a4d0e533#dbc8caabca60f326

This is, in any event, immaterial to the main point. CNNIC employees would have no choice but to comply with the "legal" obligation to create a rogue certificate if compelled to do so by the untrustworthy Chinese government... or I suppose they *do* have a choice: be prosecuted by the Chinese government.

This would not be counter to the assertion by CNNIC made on the bug, stating that "We absolutely won’t deliver any Cert to any illegal organization." (unless they contend that the Chinese Government is an "illegal organization"):
https://bugzilla.mozilla.org/show_bug.cgi?id=607208#c16

But regardless of what assertions they make, the reality is that such assertions cannot be trusted because there is insufficient judicial oversight of government surveillance in their jurisdiction. As Sid noted in his SSL MITM paper:

"The Chinese government, for example, has repeatedly compelled the assistance of telecommunications and technology companies in assisting it with its surveillance efforts "

_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

[Stephen Schultze]

On 6/13/12 8:40 PM, anyin wrote:
> Reply to the many objections,
>
> I need state CNNIC is not government. CNNIC was founded as a
> non-profit organization and absolutely has nothing to do with
> internet restriction of Chinese government. I know many objections
> from people who dislike Chinese government, but this should not be a
> basis of acceptance nor rejection of CAs under Mozilla policy,
> right?
>
> I don't see any evidence which CNNIC breaks promise to Mozilla
> policy, any fake Cert which CNNIC deilvered for MITM. Because we
> never do that.
>
> Again, IMO, we should not discuss politics, they are not relevant
> with CA's acceptability.
>
> Thanks.
>
> Ken An

An Yin,

Thanks for participating in the discussion. Did we meet at IETF? I'm
the guy in a suit in the front-row far-left of this picture:
https://www.dropbox.com/s/wvd43kymdnjawip/CNNIC_IETF_Beijing.jpg

Are you in that picture? Did we meet?

Of course I'm not sure if you have access to Dropbox:
http://www.quora.com/Dropbox/Is-Dropbox-blocked-in-China-Why

In any case, here's my question:
If the police show up with guns at the front door of CNNIC (the one in
the background of that photo), and demand to have a certificate for a
domain that they do not control (according to the relevant registry),
what will you do?

Steve

[anyin]

Hi Stephen,

No, I am not in that picture as I don't participate IETF.
PS: I can access dropbox successfully.

What will you do if you are in the situation which you assumed?
Maybe you have a terrible image for Chinese government by many misleading
news, I don't think CNNIC CA will face the scene you assumed.

Regards,
Ken

-----邮件原件-----
发件人: dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org
[mailto:dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org] 代表
Stephen Schultze

发送时间: 2012年6月14日 10:05
收件人: mozilla-dev-s...@lists.mozilla.org
主题: Re: 转发: CNNIC and legal jurisdiction

On 6/13/12 8:40 PM, anyin wrote:

> Reply to the many objections,
>
> I need state CNNIC is not government. CNNIC was founded as a
> non-profit organization and absolutely has nothing to do with internet
> restriction of Chinese government. I know many objections from people
> who dislike Chinese government, but this should not be a basis of
> acceptance nor rejection of CAs under Mozilla policy, right?
>
> I don't see any evidence which CNNIC breaks promise to Mozilla policy,
> any fake Cert which CNNIC deilvered for MITM. Because we never do
> that.
>
> Again, IMO, we should not discuss politics, they are not relevant with
> CA's acceptability.
>
> Thanks.
>
> Ken An

An Yin,

Thanks for participating in the discussion. Did we meet at IETF? I'm the
guy in a suit in the front-row far-left of this picture:
https://www.dropbox.com/s/wvd43kymdnjawip/CNNIC_IETF_Beijing.jpg

Are you in that picture? Did we meet?

Of course I'm not sure if you have access to Dropbox:
http://www.quora.com/Dropbox/Is-Dropbox-blocked-in-China-Why

In any case, here's my question:
If the police show up with guns at the front door of CNNIC (the one in the
background of that photo), and demand to have a certificate for a domain
that they do not control (according to the relevant registry), what will you
do?

Steve

[Stephen Schultze]

Ken,

I realize that I gave you an extreme example, so perhaps this example is
easier to envision:

What would CNNIC do if an official from the Ministry of Public Security
told CNNIC the same thing?

Steve

[Jan Schejbal]

Am 2012-06-14 02:40, schrieb anyin:
> I need state CNNIC is not government. CNNIC was founded as a
> non-profit organization and absolutely has nothing to do with
> internet restriction of Chinese government.

CNNIC itself states on http://www.cnnic.net.cn/en/index/ that "CNNIC
takes orders from the Ministry of Information Industry (MII) to conduct
daily business".

Kind regards,
Jan

--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...

[Jean-Marc Desperrier]

Stephen Schultze a écrit :

> What would CNNIC do if an official from the Ministry of Public Security
> told CNNIC the same thing?

I'm not really interested in trying to defend the Chinese government,
but ...

What would American CAs do if told to do the same thing by the FBI who
would tell them they have no choice but to comply to this request under
title II of the USA PATRIOT Act, "Enhanced Surveillance Procedures" ?

[Phillip Hallam-Baker]

What would a Chinese citizen expect a US CA to do?

In the wake of Flame/Stuxnet have decided I really can't trust any of
the US government employees/contractors on issues like making Name
Constraints practical for real world use. And these are people I
consider friends and have worked with for 20 years.

The US government could use the same tactics against Mozilla,
Microsoft, Google. But the chance of detection/leaks is very high.

What we need to do is to adjust the infrastructure so the expectation
of detection becomes near certainty and does not rely on someone
risking jail.


On Wed, Jun 20, 2012 at 6:11 AM, Jean-Marc Desperrier <jmd...@gmail.com> wrote:
> Stephen Schultze a écrit :

>
>> What would CNNIC do if an official from the Ministry of Public Security
>> told CNNIC the same thing?
>
>

> I'm not really interested in trying to defend the Chinese government, but
> ...
>
> What would American CAs do if told to do the same thing by the FBI who would
> tell them they have no choice but to comply to this request under title II
> of the USA PATRIOT Act, "Enhanced Surveillance Procedures" ?
>

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

--
Website: http://hallambaker.com/

[ianG]

On 20/06/12 22:46 PM, Phillip Hallam-Baker wrote:

> What we need to do is to adjust the infrastructure so the expectation
> of detection becomes near certainty and does not rely on someone
> risking jail.

I agree. We can't stop them forcing it to happen. But we can make it
difficult for them to hide.

There's this old trick, on the website plaster a statement that says:

"Zero false certs issued so far."

They can issue a demand for a false cert. They can slap a secrecy order
on the false cert.

But they can't order you to lie....



iang

[Jan Schejbal]

Am 2012-06-20 15:04, schrieb ianG:
> But they can't order you to lie....

This assumption may not hold legally in certain jurisdictions, and it
will certainly not hold practically if the state adversary doesn't feel
the need to follow it's own law (or is willing to change it).

Actually, I can imagine that this might not even work in many western
jurisdictions, as judges could see the removal of the "zero false certs"
messages as a violation of the secrecy order.

[ianG]

On 22/06/12 05:21 AM, Jan Schejbal wrote:
> Am 2012-06-20 15:04, schrieb ianG:

>> But they can't order you to lie....
>

> This assumption may not hold legally in certain jurisdictions, and it
> will certainly not hold practically if the state adversary doesn't feel
> the need to follow it's own law (or is willing to change it).

Then all bets are off. You are in a lawless land where truth is not of
any use. This leads us to the claim that some have about China, etc etc.

> Actually, I can imagine that this might not even work in many western
> jurisdictions, as judges could see the removal of the "zero false certs"
> messages as a violation of the secrecy order.

You're looking at it from the wrong end of the lens. By the time the
judge gets to see it, you are now a cause celebre and you get interviews
on late night TV shows about how you fought the state on fundamental
matters of the constitution.

Turn the lens around.

A CA's standard threat and security analysis has to deal with the very
standard and ultra-well-known threat that the CA will be ordered to do
something illegal by someone big and powerful.

The CA doesn't need a bullet proof response to this threat or any other.
It doesn't need its own SWAT team. It just needs a response that
makes the tactic less likely to succeed, and doesn't muck up the costs
of the business so much.

As Phillip said, secrecy is the greatest friend of the spooks. By their
nature and their charter, they conduct illegal activities, and they
require secrecy for this to work. Take away their secrecy, and their
approach fails.

They know this. They will act very differently.

iang