Google doesn't trust China - should Mozilla?
Monday, February 22, 2010 at 10:23PM
Robert

Should Mozilla accept a CA (certification authority) from China's Network Information Centre (CNNIC)?

As Ed Felten on the Freedom to Tinker blog explains, the trusted CA authenticates the identity of the server the browser is going to.

But what if you don't trust the CA itself?

As Ed delicately puts it:

"[L]et's suppose, just for the sake of argument, [his italics] that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections."

It is technically true: CNNIC is an NGO. But in China all NGOs belong to a government agency (so they are all in fact GONGOs). To put the matter beyond doubt, CNNIC even announces on its home page that it "takes orders from the Ministry of Information Industry (MII) [sic] to conduct daily business."

So it is much more than an academic debate. Felten points out that it highlights the fragility of the technical design of the net. He might have added that it also requires trust - yet there is no trust in Communist Party's relationship with Chinese people and the rest of the world.

Article originally appeared on Electric Speech (http://www.electricspeech.com/).
See website for complete article licensing information.