Distrusting New CNNIC Certificates

Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the mozilla.dev.security.policy forum.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.

Mozilla Security Team

96 responses

  1. whatsthefuckname wrote on :

    支持,顶,好!

  2. tutugreen wrote on :

    发来贺电。

  3. 噼啪 wrote on :

    Mozilla的确应该全线吊销CNNIC的证书,因为CNNIC是一家没有任何身份的组织,它既不是中国政府的部门,也不是商业企业,也不是非盈利组织。它是一个没有合法登记的机构,因而绝对不可以信任。

More comments: 1 2 3 4