Opened 7 years ago

Closed 10 days ago

#3929 closed defect (wontfix)

Remove CNNIC

Reported by: mikeperry Owned by: tbb-team
Priority: Medium Milestone: TorBrowserBundle 2.3.x-stable
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-firefox-patch
Cc: g.koppen@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


We should remove CNNIC. What have they done for us lately?

Child Tickets

Change History (13)

comment:1 Changed 7 years ago by ioerror

We need to write up our design for forking the CA root system from Mozilla and remove all of the CA roots that are sketchy. CNNIC should go next.

comment:2 in reply to:  1 Changed 7 years ago by mikeperry

Replying to ioerror:

We need to write up our design for forking the CA root system from Mozilla and remove all of the CA roots that are sketchy. CNNIC should go next.

The reality of the situation is that there probably isn't a concrete policy that could justify the removal of this CA. I sort of almost thought about crying a couple crocodile tears for Mozilla when they had to include this cert, because you really want to trust that the repeat offender might reform themselves and suddenly start respecting people's right to secure communications, but you just know bad time are ahead.

I guess the larger question is: Should we perform a kind of harm reduction against the CA model, and allow people to select a number of certs for their language/locale that covers X% of the sites they are likely to visit?

In the meantime, it seems that without exits in China, and without any real way for Tor users to access Chinese infrastructure without hitting the GFW, there is no reason for us to include this cert. The number of tor users who need it is effectively zero.

comment:3 Changed 7 years ago by mikeperry

(Cue anonymous false flag hit-and-run poster who claims they really, really need this cert for their daily tor usage?)

comment:4 Changed 7 years ago by ioerror

I'd like to see TBB get to CA zero - something sorta like INBOX zero.

Here are two blog posts worth considering:

I think we should have a reductionist policy - what CAs do we absolutely need today? What CAs can we entirely remove? What methods exist for a non-CA model? What will complement and allow the CA model to confirm other data that we trust?

I think DANE delivered ala verified DNSSEC with a matching CA signature would be much better than any signature from any valid CA. Similarly, I think CAA will do a lot of good in this regard.

comment:5 Changed 7 years ago by ioerror



Mike - what do you think about the above two things to complement the model we're using now?

comment:6 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:7 Changed 7 years ago by mikeperry

Milestone: TorBrowserBundle 2.2.x-stableTorBrowserBundle 2.3.x-stable

comment:8 Changed 6 years ago by mikeperry

Priority: majornormal

After watching Mozilla deal with the Diginotar fiasco (and the size of the patch involved to correctly remove a CA for realz), I am ready to accept our overlords in Beijing for a while longer.

ioerror: I would love to replace the whole CA model, but we need Mozilla to provide us with first. Alternatively, Chrome might build this first:

comment:9 Changed 4 years ago by erinn

Keywords: tbb-firefox-patch added

comment:10 Changed 4 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:11 Changed 4 years ago by phw

I'm not sure if this is still relevant but here's another reason why CNNIC should be removed -- and if simply for symbolic reasons:

comment:12 Changed 6 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:13 Changed 10 days ago by gk

Resolution: wontfix
Status: newclosed

We don't plan to start in the CA policing business.

Note: See TracTickets for help on using tickets.