Reply to post: No-brainer move

Mozilla piles on China's SSL cert overlord: We don't trust you either

James 100

No-brainer move

Frankly, I'd be stunned and concerned if any outfit *didn't* revoke CNNIC's validity for this lot.

"Unacceptable"? Fortunately, CNNIC, you don't get to decide whether to accept things or not: we do, based on defaults from Chrome and others. It's CNNIC and their fake certificates which are not acceptable any more. Inexplicable? Well, that would be the suicidal decision to abuse that trust to issue a bunch of fake IDs, or enable a third party to do so with your implied approval.

Looks like we need a tougher auditing regime for these CAs, if not an alternative scheme entirely; I rather like the DANE DNSSEC approach for regular certificates. Maybe limit the current CA system to EV certs instead, and be much more restrictive about who can issue them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019