[cabfpub] FW: SANS NewsBites Vol. 17 Num. 026 : Health Care Data Increased Risk; Federal CIOs Say OMB Reporting Requirements Not Helpful; US Retailers Must Adopt Chip-Based Payment Card Technology by October or Assume Breach Liability; China Delays Stringent Requir

Fri Apr 3 13:55:15 MST 2015

The latest SANS NewsBites mentions the CABF.

-Rick

 --Chrome and Firefox to Stop Trusting Certificates from Chinese
    Certificate Authority
(April 1 & 2, 2015)
Both Google Chrome and Mozilla Firefox will no longer trust certificates issued by the China Internet Network Information Center (CNNIC). Last month, an intermediate certificate authority issued unauthorized digital certificates for several Google domains. The intermediate certificate was issued by CNNIC.
http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/
http://www.zdnet.com/article/google-banishes-chinas-main-digital-certificate-authority-cnnic/
http://www.theregister.co.uk/2015/04/02/google_furious_dodgy_chinese_certs_cnnic_chrome_warning/
http://www.theregister.co.uk/2015/04/02/mozilla_revokes_cnnic_cert_trust/
http://www.computerworld.com/article/2905282/googles-cert-sanction-may-hamper-browsing-trigger-china-retaliation.html
http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
[Editor's Note (Pescatore): I think it is a good thing for Certificate Authorities to be fully audited and re-certified after they make egregious mistakes or are compromised in ways that jeopardize security.
However, two issues (1) The process needs to be fair - US-based CAs that issue certificates in error or fraudulently need to be treated the same way; (2) The bigger issue: this is a case of a US-based for profit company and an open source company essentially making Internet governance decisions on their own. What happens when the Qihoo browser claims Google did something wrong and decides not to trust Google? If the CA/Browser forum continues to be ineffective, some sort of broader Internet governance body like ICANN, W3C etc. needs to define some acceptable processes.]