| |||||||||||||
China Internet Network Information Center accepted as a Mozilla root CAChina Internet Network Information Center accepted as a Mozilla root CAPosted Feb 2, 2010 18:12 UTC (Tue) by lkundrak (subscriber, #43452)Parent article: China Internet Network Information Center accepted as a Mozilla root CA I find Gervase Markham's response to the Bugzilla ticket valuable: If the hijacking is done "on a nationwide scale", then someone should be able to produce some actual evidence of it. Download the bad cert, email us a copy, and we will act.
(Log in to post comments)
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 19:08 UTC (Tue) by josh (subscriber, #17465) [Link]
As pointed out more than once in Bugzilla and other discussions, "innocent until proven guilty" represents an excellent policy for criminal charges, but a terrible one for security and trust policies. For those, I'd advocate "guilty unless they give no possible reason for mistrust".
That doesn't mean that every bit of hearsay should by itself represent enough reason to deny trust, but when this much unrefuted evidence exists it seems prudent to deny trust until receiving proof of trustworthiness.
One notable link posted in the bug: http://en.wikipedia.org/wiki/China_Internet_Network_Infor...
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 19:34 UTC (Tue) by tzafrir (subscriber, #11501) [Link]
Sorry, but I find no hard evidence in that entry. In fact this entry omits any evidence of any other malware detection software from around the world declaring that software as malware.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 23:16 UTC (Tue) by redguardtoo (guest, #39215) [Link]
You found no evidence because you did NOT try.
See,
Or,
You can ask your Chinese friend to help you if you don't know Chinese
There is hard evidence that most Chinese IT guys don't trust CNNIC at all. Yes, I'm one of those Chinese guys because I know the notorious history of CNNIC too well.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 23:28 UTC (Tue) by redguardtoo (guest, #39215) [Link]
I just googled CNNIC and 我 (means 'I').
The result is the hard evidence how average Chinese "trust" CNNIC.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 7:29 UTC (Wed) by farter (guest, #62197) [Link]
You really don't need to understand Chinese to know about CNNIC.
Just google "CNNIC malware". For instance, this page on MS: http://www.microsoft.com/security/portal/Threat/Encyclope....
Maybe I'm xenophobic, but IMHO, any institution having an entry bearing its name in nearly all major malware databases simple is not trustworthy, period.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 15:56 UTC (Wed) by tzafrir (subscriber, #11501) [Link]
josh above pointed to a certain section of a Wikipedia article as an evidence of some fact. I merely pointed out that the specific section provides no evidence.
You claim that there is evidence elsewhere? Fine. BTW: you can still fix that Wikipedia article. I generally have some more trust in Wikipedia articles that are popular enough because they have been reviewed by enough eyeballs, and it is usually easy to tell when the content of the article is controversial (which means I should then further review the talk page and relevant links.
What I saw in the bug report was a bunch of poeple shouting. Beyond shouting, they provided relatively little supporting evidence.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 13:53 UTC (Wed) by gerv (subscriber, #3376) [Link]
"Innocent until proven guilty" is not, of course, a summary of our CA inclusion policy. The inclusion policy is here:
http://www.mozilla.org/projects/security/certs/policy/
Given that CNNIC met all the requirements, just as all other CAs included under the policy did, we think that the burden of proof of wrongdoing should be on those who are alleging it.
The link you gave to Wikipedia shows that CNNIC produced some software, other people called it malware, CNNIC sued them and CNNIC won.
We also have official government CAs in our root store from Japan, Taiwan and the Netherlands. Where does this end? Given China's historical difficult relationships with Taiwan and Japan, are the "army of Chinese internet users" next going to say that they don't trust the Taiwanese and Japanese governments either, and we should remove their roots too?
Gerv
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 10:21 UTC (Wed) by PO8 (guest, #41661) [Link]
"...innocent until proven guilty - an important cornerstone of justice."
Uh, no. "Innocent until proven guilty" is a founding principle of the American criminal justice system, which is not the same thing at all. Indeed, American courts use "a preponderance of the evidence" in civil cases. Why this difference? Because hypothetically the government wields enormous power over the judicial system that it may abuse without strong safeguards. In lawsuits between private parties, it is assumed that the parties have equal access to the judicial system. This is often a poor assumption, but there you are.
The relevance here is that the case of CNNIC is much more like a civil case than a criminal one, and really not like a court case at all. The Mozilla Foundation, a private party, has to try to evaluate the trustworthiness of CNNIC, a quasi-governmental agency, in order to decide about access to the public software that they control. IMHO, an "innocent until proven guilty" rule would be not just wrong but dangerous in this situation. The burden of proof should be on CNNIC, who should provide evidence that they are operating their CA in a safe, responsible and aboveboard manner. In other words, CNNIC (and everyone else) should be denied access to Mozilla's CA cache if there is "any substantial possibility" that they will abuse this access. This is a strong standard, but it would make me feel safer.
civil vs criminal Posted Feb 3, 2010 12:58 UTC (Wed) by tialaramex (subscriber, #21167) [Link]
[Off topic] The difference is because of the outcomes, not who wields power.
If I say that Barry took my pig...
In the criminal justice system the outcomes are either Barry is a thief, and may lose his liberty and most likely his current job and future job prospects. Or, he is not a thief and may go free. These outcomes are not balanced, if I set one thief in ten free, there are a few thieves roaming free, hardly noticeable. But if I send one innocent man in ten to jail, I end up with a jail full of innocent men, a gross injustice.
Whereas in the civil justice system, either Barry gets to keep the pig, or I do. These outcomes are balanced, either way somebody has a pig and someone doesn't. If a mistake is made, an honest man loses his pig no matter who it is.
If CNNIC make bogus certs, there should be evidence of it, let those who accuse them collect that evidence. If you prefer, in the meanwhile, to exercise the precaution of not trusting dubious entities as CAs, then I recommend disabling _every single one_ of the root CAs included with your OS or browser, since in my opinion none of them could be considered trustworthy in the relevant sense.
|
|||||||||||||