Firefox:No longer trust the new certificate CNNIC

Mozilla no longer trust the new certificate CNNIC

Mozilla no longer trust the new certificate CNNIC

Article translated from Mozilla blogoriginal。I Caishuxueqian,Omissions are inevitable if the error message welcome treatise!

Last week, Mozilla NoticeOne called CNNIC Intermediate Certificate Authority issued a certificate unfettered,Domain name then this certificate will be used to give the recipient does not have control over the domain name or a certificate (for example,:Middle attack)。We call this intermediate certificate revocation directly added to the Firefox system (OneCRL) The interrogation,And to investigate the matter further。

After reviewing the case and carried out a public in our mailing listheated discussionafter that, we come to the conclusion,CNNIC issued unfettered intermediate certificate to the company's behavior in PKI behavior is without precedent,And there is no oversight of the private key is stored in the control or Mozilla's CA certificate policy enforcementSpeaking,This behavior is "extremely serious misconduct"。So,After public discussion and taking into account the scope and impact of a series of options we decided to update the code,Mozilla's product will not trust any certificate CNNIC root certificate in April 1, 2015 and later issued。More details of this incident we are and how we reach decisions together wrote aLonger documents

If you wish CNNIC,Can re-apply Mozilla accepts all certificates with the storage and removal of such restrictions,Mozilla community to fully complete after Mozilla may be added to the additional demand for the event include process。This will Forum discussion。

Those CNNIC will be reviewed after the addition of the certificate。Therefore, we will ask a complete list of currently valid certificates to the public and CNNIC。After obtaining a list of,Once on the Internet by us or any other person found to have a certificate before April 1, 2015 but did not list them in,We reserve the right to take further measures。

We believe that the answer to the Mozilla policy is consistent and the same applies to any other situation CA 。

Mozilla security team

Digression,Up to now,CNNIC simply ignore seemingly out Mozilla's statement,It appears to be a fundamental look down on people ah ~



Original article written by Gerber drop-off:R0uter's Blog » Firefox:No longer trust the new certificate CNNIC

Reproduced Please keep the source and description link:

About the Author


The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。

Leave a Reply

Your email address will not be published. Required fields are marked *