[cabfpub] Draft Zurich F2F Meeting agenda

Dean Coclin Dean_Coclin at symantec.com
Wed Apr 8 16:14:05 UTC 2015

Is this something you still want on the agenda to discuss?



From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Tuesday, April 07, 2015 9:53 PM
To: Richard Wang
Cc: Dean Coclin; public at cabforum.org
Subject: Re: [cabfpub] Draft Zurich F2F Meeting agenda




On Tue, Apr 7, 2015 at 6:42 PM, Richard Wang <richard at wosign.com> wrote:

Thanks for so detail information.


Why I raise this problem is most bank in China install its own root to Windows trusted root while install the USB Key CSP, but the User key certificate don’t have EKU limit that user can use this cert to sign malware that the signature is trusted by Windows.  This is a big security problem.

Another problem is the trusted signed malware modify the local host file and install its own root to trusted root, then redirect to the fraud bank site, but the browser don’t have warning.


This is why I suggest browser and Windows should not trust manually installed root.



Best Regards,






I agree, that is a real problem. I'm aware of a number of similar unfortunate and insecure practices being encouraged by the traditionally trusted organizations (banks, postal services, governments). I think it's very unfortunate for users when their system security is subverted by the people they trust.


Just because I don't think there is much that the CA/B Forum can or should do does not mean I don't think this is an important issue or that it should be solved. I just don't think that we here can solve it. In some circles, this is called a "layer 8 issue" - meaning that the solution is not necessarily one of technology, but one of policy, awareness, and activism.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150408/9a9125fe/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150408/9a9125fe/attachment-0001.p7s>

More information about the Public mailing list