LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Mozilla and CNNIC

Mozilla and CNNIC

Posted Feb 4, 2010 8:21 UTC (Thu) by tzafrir (subscriber, #11501)
Parent article: Mozilla and CNNIC

A somewhat unrelated comment:

Either the CNNIC CA misbehaves or it doesn't. In either case, the inclusion procedure Mozilla have applied verified very well that this certificate does indeed belong to them. Thus even if I don't trust them for signing certificates, I can trust Mozilla for verifying their identify.

I wonder if there's a point in shipping various certificates as "disabled by default". E.g. not all users may trust CNNIC or http://www.cacert.org/ . But it helps to have a well-verified root-CA of them delivered to you through a channel you trust (if you can't trust the browser you installed, other things are broken anyway).

And yes, let's just all switch to GPG :-)

(Log in to post comments)

Mozilla and CNNIC

Posted Feb 4, 2010 12:35 UTC (Thu) by Oddscurity (guest, #46851) [Link]

So if I understand what you're saying:

- Ship CA certs with the browser, disabled by default
- Upon first encountering a certificate signed with one of these, prompt the
user asking them if they trust the CA in question and allow them to enable
it.

Maybe put this under a switch in about:config?

I'd use it.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds