Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Untrusting CNNIC wouldn't really "fix" it. There are hundreds of trusted CAs, and any of them could do something like this.


Not removing CNNIC just says that other CAs won't be punished, either. Like Comodo.[1]

Browsers should start considering scoping CAs by default. If CNNIC signs, say, a Mexican domain, that might be cause for suspicion. It's a bit more complicated since .com and others are sorta generic. But there's gotta be something that can limit exposure for many customers. How many US users often run into CNNIC, or those South American CAs?

1: On one of their sales calls, I told them they failed at the one thing they were supposed to do as a CA. Without missing a beat, the guy shifted to trying to sell me antivirus software.


Adopting a zero-tolerance policy for CAs that are bad actors (including those that allow others to have their full power who themselves act as bad actors) and removing their root certificates from trust stores would create a substantial disincentive for CAs to be bad actors.


Yeah, I can't believe the "oh, that's OK, a silly bureaucratic snafu, boys will be boys" response from Google. But at least they told us, they didn't sweep it under the rug.

I would have preferred the Pulp Fiction version. Google should have instead said to CNNIC:

   You hear me talkin', hillbilly boy? I ain't
   through with you by a damn sight. I'ma get
   medieval on your ass.


Could, but would? At least ban the ones that are proven to be untrustworthy. Otherwise the entire concept of a trust store is a joke and a racket to print money (certificates)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: