| |||||||||||||
China Internet Network Information Center accepted as a Mozilla root CAChina Internet Network Information Center accepted as a Mozilla root CAPosted Feb 2, 2010 19:08 UTC (Tue) by josh (subscriber, #17465)In reply to: China Internet Network Information Center accepted as a Mozilla root CA by lkundrak Parent article: China Internet Network Information Center accepted as a Mozilla root CA
As pointed out more than once in Bugzilla and other discussions, "innocent until proven guilty" represents an excellent policy for criminal charges, but a terrible one for security and trust policies. For those, I'd advocate "guilty unless they give no possible reason for mistrust".
That doesn't mean that every bit of hearsay should by itself represent enough reason to deny trust, but when this much unrefuted evidence exists it seems prudent to deny trust until receiving proof of trustworthiness.
One notable link posted in the bug: http://en.wikipedia.org/wiki/China_Internet_Network_Infor...
(Log in to post comments)
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 19:34 UTC (Tue) by tzafrir (subscriber, #11501) [Link]
Sorry, but I find no hard evidence in that entry. In fact this entry omits any evidence of any other malware detection software from around the world declaring that software as malware.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 23:16 UTC (Tue) by redguardtoo (guest, #39215) [Link]
You found no evidence because you did NOT try.
See,
Or,
You can ask your Chinese friend to help you if you don't know Chinese
There is hard evidence that most Chinese IT guys don't trust CNNIC at all. Yes, I'm one of those Chinese guys because I know the notorious history of CNNIC too well.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 23:28 UTC (Tue) by redguardtoo (guest, #39215) [Link]
I just googled CNNIC and 我 (means 'I').
The result is the hard evidence how average Chinese "trust" CNNIC.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 7:29 UTC (Wed) by farter (guest, #62197) [Link]
You really don't need to understand Chinese to know about CNNIC.
Just google "CNNIC malware". For instance, this page on MS: http://www.microsoft.com/security/portal/Threat/Encyclope....
Maybe I'm xenophobic, but IMHO, any institution having an entry bearing its name in nearly all major malware databases simple is not trustworthy, period.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 15:56 UTC (Wed) by tzafrir (subscriber, #11501) [Link]
josh above pointed to a certain section of a Wikipedia article as an evidence of some fact. I merely pointed out that the specific section provides no evidence.
You claim that there is evidence elsewhere? Fine. BTW: you can still fix that Wikipedia article. I generally have some more trust in Wikipedia articles that are popular enough because they have been reviewed by enough eyeballs, and it is usually easy to tell when the content of the article is controversial (which means I should then further review the talk page and relevant links.
What I saw in the bug report was a bunch of poeple shouting. Beyond shouting, they provided relatively little supporting evidence.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 13:53 UTC (Wed) by gerv (subscriber, #3376) [Link]
"Innocent until proven guilty" is not, of course, a summary of our CA inclusion policy. The inclusion policy is here:
http://www.mozilla.org/projects/security/certs/policy/
Given that CNNIC met all the requirements, just as all other CAs included under the policy did, we think that the burden of proof of wrongdoing should be on those who are alleging it.
The link you gave to Wikipedia shows that CNNIC produced some software, other people called it malware, CNNIC sued them and CNNIC won.
We also have official government CAs in our root store from Japan, Taiwan and the Netherlands. Where does this end? Given China's historical difficult relationships with Taiwan and Japan, are the "army of Chinese internet users" next going to say that they don't trust the Taiwanese and Japanese governments either, and we should remove their roots too?
Gerv
|
|||||||||||||