[tor-bugs] #3929 [Tor Browser]: Remove CNNIC
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Sep 5 09:42:46 UTC 2011
#3929: Remove CNNIC
-------------------------+--------------------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone: TorBrowserBundle 2.2.x-stable
Component: Tor Browser | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by mikeperry):
Replying to [comment:1 ioerror]:
> We need to write up our design for forking the CA root system from
Mozilla and remove all of the CA roots that are sketchy. CNNIC should go
next.
The reality of the situation is that there probably isn't a concrete
policy that could justify the removal of this CA. I sort of almost thought
about crying a couple crocodile tears for Mozilla when they had to include
this cert, because you really want to trust that the repeat offender might
reform themselves and suddenly start respecting people's right to secure
communications, but you just know bad time are ahead.
I guess the larger question is: Should we perform a kind of harm reduction
against the CA model, and allow people to select a number of certs for
their language/locale that covers X% of the sites they are likely to
visit?
In the meantime, it seems that without exits in China, and without any
real way for Tor users to access Chinese infrastructure without hitting
the GFW, there is no reason for us to include this cert. The number of tor
users who need it is effectively zero.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3929#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list