Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Trustwave is still in the Mozilla CA bundle: https://wiki.mozilla.org/CA:IncludedCAs


At the end of the bug discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=724929 it was decided to give Trustwave a reprieve. Mozilla policy was updated to explicitly forbid such usage, and each of the CA was required to verify that they were complying with the new policy or state when they would come into compliance.

CNNIC did so here: https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGx...

Kathleen Wilson's comment on the bug was: https://bugzilla.mozilla.org/show_bug.cgi?id=724929#c66 "My intent is to make it clear that this type of behavior will not be tolerated for subCAs chaining to roots in NSS, give all CAs fair warning and a grace period, and state the consequences if such behavior is found after that grace period."

However, over 14th months later when it came out the ANSSI (aka the French government) was doing the exact same thing, rather than revoking the root certificate Mozilla decided to limit them to issuing certificates to: .fr, .gp, .gf, .mq, .re, .yt, .pm, .bl, .mf, .wf, .pf, .nc, .tf

which AFAICT essentially acquiesces in MitM French firefox users that go to French websites.

I wonder if the response will be the same here.


> Mozilla decided to limit them to issuing certificates to: .fr, .gp, .gf, .mq, .re, .yt, .pm, .bl, .mf, .wf, .pf, .nc, .tf

Is there any way to do the same, manually, for the other "national" CAs? I woudln't mind if CNNIC handed out a certificate for every .cn domain out there, but if they ever try to sign one for an Egyptian entity (or even worse, a .com domain), I want to see a big red warning. Ditto for the Japanese and Taiwanese governments, which Firefox also seems to trust unconditionally.

I actually do this to some extent, as I don't quite trust the NIC of my own government. I told my browser not to trust it, so whenever I try to visit a government website, I get a big red warning. I override the warning after confirming that I am indeed visiting a government website protected with a government certificate. But if the government NIC ever tried to show me a certificate for a non-government website, I would know immediately. This works, but it's inconvenient, so I'd love to be able to restrict any given CA to subdomains of specific TLDs and/or second-level domains.


So is the Chinese who signed the certificate, probably.

Too big to fail and all that jazz.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: