[cabfpub] FW: SANS NewsBites Vol. 17 Num. 026 : Health Care Data Increased Risk; Federal CIOs Say OMB Reporting Requirements Not Helpful; US Retailers Must Adopt Chip-Based Payment Card Technology by October or Assume Breach Liability; China Delays...

Richard Wang richard at wosign.com
Sat Apr 4 00:24:28 UTC 2015

I agree the editor opinion that browser should treat west CA same as China CA!
Comodo and TurkTrust also issued the wrong cert for Google, but do NOT remove their root.



> On Apr 4, 2015, at 04:53, Rick Andrews <Rick_Andrews at symantec.com> wrote:
> The latest SANS NewsBites mentions the CABF.
> -Rick
> --Chrome and Firefox to Stop Trusting Certificates from Chinese
>    Certificate Authority
> (April 1 & 2, 2015)
> Both Google Chrome and Mozilla Firefox will no longer trust certificates issued by the China Internet Network Information Center (CNNIC). Last month, an intermediate certificate authority issued unauthorized digital certificates for several Google domains. The intermediate certificate was issued by CNNIC.
> http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/
> http://www.zdnet.com/article/google-banishes-chinas-main-digital-certificate-authority-cnnic/
> http://www.theregister.co.uk/2015/04/02/google_furious_dodgy_chinese_certs_cnnic_chrome_warning/
> http://www.theregister.co.uk/2015/04/02/mozilla_revokes_cnnic_cert_trust/
> http://www.computerworld.com/article/2905282/googles-cert-sanction-may-hamper-browsing-trigger-china-retaliation.html
> http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
> [Editor's Note (Pescatore): I think it is a good thing for Certificate Authorities to be fully audited and re-certified after they make egregious mistakes or are compromised in ways that jeopardize security.
> However, two issues (1) The process needs to be fair - US-based CAs that issue certificates in error or fraudulently need to be treated the same way; (2) The bigger issue: this is a case of a US-based for profit company and an open source company essentially making Internet governance decisions on their own. What happens when the Qihoo browser claims Google did something wrong and decides not to trust Google? If the CA/Browser forum continues to be ineffective, some sort of broader Internet governance body like ICANN, W3C etc. needs to define some acceptable processes.]
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7208 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150404/b59403a0/attachment-0001.p7s>

More information about the Public mailing list