Mozilla has joined Google in revoking trust for certificates issued by the China Internet Network Information Center (CNNIC) Certificate Authority.

CNNIC is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China, and operates and administers China’s domain name registry, the country's code top level domain (.cn) and the Chinese Domain Name System.

"After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behavior in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy," Kathleen Wilson, Program Manager at Mozilla, explained.

"Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015."

The company will also ask of CNNIC to provide a list of their currently-valid certificates, which they will then make public.

Read more.

Source: Help Net Security