[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #3929 [Tor Browser]: Remove CNNIC



#3929: Remove CNNIC
-------------------------+--------------------------------------------------
 Reporter:  mikeperry    |          Owner:  mikeperry                    
     Type:  defect       |         Status:  new                          
 Priority:  major        |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  Tor Browser  |        Version:                               
 Keywords:               |         Parent:                               
   Points:               |   Actualpoints:                               
-------------------------+--------------------------------------------------

Comment(by mikeperry):

 Replying to [comment:1 ioerror]:
 > We need to write up our design for forking the CA root system from
 Mozilla and remove all of the CA roots that are sketchy. CNNIC should go
 next.

 The reality of the situation is that there probably isn't a concrete
 policy that could justify the removal of this CA. I sort of almost thought
 about crying a couple crocodile tears for Mozilla when they had to include
 this cert, because you really want to trust that the repeat offender might
 reform themselves and suddenly start respecting people's right to secure
 communications, but you just know bad time are ahead.

 I guess the larger question is: Should we perform a kind of harm reduction
 against the CA model, and allow people to select a number of certs for
 their language/locale that covers X% of the sites they are likely to
 visit?

 In the meantime, it seems that without exits in China, and without any
 real way for Tor users to access Chinese infrastructure without hitting
 the GFW, there is no reason for us to include this cert. The number of tor
 users who need it is effectively zero.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3929#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs