CNNIC 的根憑證 (包括 EV) 從 Google 全系列產品移除

在「Maintaining digital certificate security」這篇文章裡的更新:

Update - April 1: As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.

Google 的作法是將現有使用 CNNIC 發出的 SSL certificate 會以白名單形式放入,然後移除現有的 CNNIC 憑證。

2 thoughts on “CNNIC 的根憑證 (包括 EV) 從 Google 全系列產品移除”

Leave a Reply

Your email address will not be published. Required fields are marked *