LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

China Internet Network Information Center accepted as a Mozilla root CA

China Internet Network Information Center accepted as a Mozilla root CA

Posted Feb 2, 2010 22:37 UTC (Tue) by dkg (subscriber, #55359)
In reply to: China Internet Network Information Center accepted as a Mozilla root CA by xxiao
Parent article: China Internet Network Information Center accepted as a Mozilla root CA

I agree that this article's focus solely on China is probably a form of short-sighted xenophobia, and that there are many other dubious entities we should also be skeptical about.

But that doesn't mean we shouldn't be skeptical of CNNIC's inclusion. It means we should also be skeptical of the existing CAs that we're all implicitly "trusting" thanks to the vendors/distributors of our browsers (and other tools).

Debian's ca-certificates includes the Brazilian government's CA, for example. And the majority of the CAs included by default in Mozilla are subject to US Government jurisdiction and pressure. We should be securing our communications based on interpersonal networks of trust, not relying on these monolithic, unaccountable CAs.

Unfortunately, the single-issuer nature of X.509 certificates creates a structural bias toward centralization of authority, which is neither socially beneficial nor secure for the end user.

What we need is more work on projects like monkeysphere (i'm one of the developers), which looks to supplant existing PKIs (including X.509) with the distributed, de-centralized Web of Trust offered by OpenPGP.

The more communications security is in the hands of the end users, with tools that are intelligible to end users, the more we can reject these abusive (or at least easily abused) centralized authorities.

(Log in to post comments)

China Internet Network Information Center accepted as a Mozilla root CA

Posted Feb 2, 2010 23:18 UTC (Tue) by redguardtoo (guest, #39215) [Link]

I don't trust CCP (CNNIC is controlled by CCP) does not mean I am xenophobia.

China Internet Network Information Center accepted as a Mozilla root CA

Posted Feb 2, 2010 23:54 UTC (Tue) by dkg (subscriber, #55359) [Link]

I didn't say being suspicious of the CCP meant that you were xenophobic. I said that the articles sole focus on China was probably a form of xenophobia because it ignores the other threats. My point is that there are bigger questions at stake than just the Chinese gov't's surveillance regime.

Focus on the bigger, systemic problem of crappy networked PKI, not on just one of the (likely) abusers.

China Internet Network Information Center accepted as a Mozilla root CA

Posted Feb 3, 2010 6:19 UTC (Wed) by redguardtoo (guest, #39215) [Link]

I get your point.

There must be something wrong in the basic work flow of the authority (or some committee?) who granted the CNNIC root CA.

From my point of view, it is so easy to validate CNNIC's credit. You just grab anyone who can read Chinese from the street. Let him/her google CNNIC to know how average Chinese people think about CNNIC. It won't take more than 5 minutes!

China Internet Network Information Center accepted as a Mozilla root CA

Posted Feb 3, 2010 9:09 UTC (Wed) by paulj (subscriber, #341) [Link]

Could you state your point more explicitly? I'm not quite sure what answer
you're assuming to your rhetorical question.

E.g. I would think most Chinese people would have either:

a) No opinion, just as 99.99% of people in the West would have no opinion of
IANA, or Verisign, etc.

b) Approve, on learning it was a Chinese state entity to manage important
stuff related to the internet.

The one thing I know about China is that the people there are very patriotic
and extremely proud of their achievements and progress, regardless of CCP.
Just as people in the West are proud of whatever valued aspects of their
country, even if they don't approve of their leadership (e.g. the status of the
military in the USA relative to its presidents is a widely understood example).

I wonder though if perhaps you are chinese (and if so, are you mainland or
elsewhere?).

China Internet Network Information Center accepted as a Mozilla root CA

Posted Feb 3, 2010 11:18 UTC (Wed) by redguardtoo (guest, #39215) [Link]

I *have* said I am a Chinese. Yes, I am from main land China.

My point is if the CNNIC root CA could be easily accepted, maybe the general approval procedure has some flaw. I am expecting some security experts to explain to me on the detail of such procedure.

You analogy of most people in west not knowing IANA or Verisign is inappropriate because you don't get the fact that CNNIC is hated by many Chinese, at least most IT guys, for some good reasons.

China Internet Network Information Center accepted as a Mozilla root CA

Posted Feb 3, 2010 12:42 UTC (Wed) by paulj (subscriber, #341) [Link]

Ok, but can you expand on why?

I know some chinese people quite well, but I don't know any who'd have any clue
who CNNIC were, never mind why they might be unpopular with Chinese IT
people. :) Western IT people don't quite know why either. (i.e. I think you missed
the point of the analogy somewhat, but never mind..).

China Internet Network Information Center accepted as a Mozilla root CA

Posted Feb 3, 2010 12:41 UTC (Wed) by TRS-80 (subscriber, #1804) [Link]

I'd also like to see RFC 5054 (TLS/SRP) supported widely. You could then encrypt your IMAP connection without having to get a PKIX cert.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds