Mozilla joined Google in revoking trust for certificates issued by the China Internet Network Information Center (CNNIC) Certificate Authority.
CNNIC is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People’s Republic of China, and operates and administers China’s domain name registry, the country’s code top level domain (.cn) and the Chinese Domain Name System.
“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products,” Google Security Engineer Adam Langley said.
“After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behavior in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy,” said Kathleen Wilson, program manager at Mozilla.
“Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015.”
The company will also ask of CNNIC to provide a list of their currently-valid certificates, which they will then make public.
“After the list has been provided, if a certificate not on the list, with a notBefore date before April 1 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action,” she said.
Mozilla said the change is not permanent, and CNNIC is welcome to “re-apply for full inclusion in the Mozilla root store,” after making changes that would prevent incidents like this one from happening again.