At risk of sounding xenophobic, you have to wonder if this is simply an effort to have Chinese-issued certificates become common place in the west. A common form of certificate pinning is based on the CA that issued the certificate (to allow certificate rotation). More Chinese issued certificates being used intentionally will make the mere fact that a certificate was issued by a Chinese CA less suspicious.
rmoriz|11 years ago
Nothing is 100% secure and new CA players will bring a higher encryption usage overall (in this case -> other business model/regional reach). Higher usage will also drive the amount of criminals (including secret agencies) trying to MITM/intercept those encryption. This will push vendors and developers to increase certificate pinning and other models of "bottom-up" models besides the top-down model that the CA-model implements.
IMHO it would be great to have a "working by default" model (which the CA-model is compared to something like pgp) and a protocol-independent way to pin public keys (eg not tied to http/s like HSTS and HKPK).
People and companies in need of "higher" security can pin keys and eg ignore the root trust of their OS/browser. So IMHO the best of "both" worlds.
HSTS http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
HPKP https://developer.mozilla.org/en-US/docs/Web/Security/Public...
aroch|11 years ago
[1]http://tack.io/