Reply to the many objections,
I need state CNNIC is not government. CNNIC was founded as a non-profit organization and absolutely has nothing to do with internet restriction of Chinese government. I know many objections from people who dislike Chinese government, but this should not be a basis of acceptance nor rejection of CAs under Mozilla policy, right?
I don't see any evidence which CNNIC breaks promise to Mozilla policy, any fake Cert which CNNIC deilvered for MITM. Because we never do that.
Again, IMO, we should not discuss politics, they are not relevant with CA's acceptability.
Thanks.
Ken An
-----邮件原件-----
发件人: dev-security-policy-bounces+anyin=
cnni...@lists.mozilla.org [mailto:
dev-security-policy-bounces+anyin=
cnni...@lists.mozilla.org] 代表 Stephen Schultze
发送时间: 2012年6月13日 3:29
收件人:
mozilla-dev-s...@lists.mozilla.org
主题: Re: CNNIC and legal jurisdiction
On 6/11/12 6:46 AM, Gervase Markham wrote:
> On 07/06/12 16:23, Stephen Schultze wrote:
>> Unfortunately, they live and operate in a legal jurisdiction in which
>> their best intentions are undermined by the regime that governs them.
>> They are not even allowed by their government to participate directly
>> in the approval conversation we are having here.
>
> Are you saying that based on recent assertions that people inside the
> GFW cannot access this discussion, or do you have more specific
> knowledge about CNNIC employees (who may well have a non-GFW connection)?
I have no knowledge about what exceptions that CNNIC employees may have to governmental censorship. Even if they have a non-GreatFireWall connection, it's unclear whether they could "legally" use it for this purpose. Based on their lack of participation in this forum, and Kathleen's message, it seems that they either don't have access or that access is hampered:
https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/404c32c7a4d0e533#dbc8caabca60f326
This is, in any event, immaterial to the main point. CNNIC employees would have no choice but to comply with the "legal" obligation to create a rogue certificate if compelled to do so by the untrustworthy Chinese government... or I suppose they *do* have a choice: be prosecuted by the Chinese government.
This would not be counter to the assertion by CNNIC made on the bug, stating that "We absolutely won’t deliver any Cert to any illegal organization." (unless they contend that the Chinese Government is an "illegal organization"):
https://bugzilla.mozilla.org/show_bug.cgi?id=607208#c16
But regardless of what assertions they make, the reality is that such assertions cannot be trusted because there is insufficient judicial oversight of government surveillance in their jurisdiction. As Sid noted in his SSL MITM paper:
"The Chinese government, for example, has repeatedly compelled the assistance of telecommunications and technology companies in assisting it with its surveillance efforts "
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy