LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

China Internet Network Information Center accepted as a Mozilla root CA

China Internet Network Information Center accepted as a Mozilla root CA

Posted Feb 3, 2010 10:21 UTC (Wed) by PO8 (guest, #41661)
In reply to: China Internet Network Information Center accepted as a Mozilla root CA by lkundrak
Parent article: China Internet Network Information Center accepted as a Mozilla root CA

"...innocent until proven guilty - an important cornerstone of justice."

Uh, no. "Innocent until proven guilty" is a founding principle of the American criminal justice system, which is not the same thing at all. Indeed, American courts use "a preponderance of the evidence" in civil cases. Why this difference? Because hypothetically the government wields enormous power over the judicial system that it may abuse without strong safeguards. In lawsuits between private parties, it is assumed that the parties have equal access to the judicial system. This is often a poor assumption, but there you are.

The relevance here is that the case of CNNIC is much more like a civil case than a criminal one, and really not like a court case at all. The Mozilla Foundation, a private party, has to try to evaluate the trustworthiness of CNNIC, a quasi-governmental agency, in order to decide about access to the public software that they control. IMHO, an "innocent until proven guilty" rule would be not just wrong but dangerous in this situation. The burden of proof should be on CNNIC, who should provide evidence that they are operating their CA in a safe, responsible and aboveboard manner. In other words, CNNIC (and everyone else) should be denied access to Mozilla's CA cache if there is "any substantial possibility" that they will abuse this access. This is a strong standard, but it would make me feel safer.

(Log in to post comments)

civil vs criminal

Posted Feb 3, 2010 12:58 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

[Off topic] The difference is because of the outcomes, not who wields power.

If I say that Barry took my pig...

In the criminal justice system the outcomes are either Barry is a thief, and may lose his liberty and most likely his current job and future job prospects. Or, he is not a thief and may go free. These outcomes are not balanced, if I set one thief in ten free, there are a few thieves roaming free, hardly noticeable. But if I send one innocent man in ten to jail, I end up with a jail full of innocent men, a gross injustice.

Whereas in the civil justice system, either Barry gets to keep the pig, or I do. These outcomes are balanced, either way somebody has a pig and someone doesn't. If a mistake is made, an honest man loses his pig no matter who it is.

If CNNIC make bogus certs, there should be evidence of it, let those who accuse them collect that evidence. If you prefer, in the meanwhile, to exercise the precaution of not trusting dubious entities as CAs, then I recommend disabling _every single one_ of the root CAs included with your OS or browser, since in my opinion none of them could be considered trustworthy in the relevant sense.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds