<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_02_02_202238</id>
	<title>Mozilla Accepts Chinese CNNIC Root CA Certificate</title>
	<author>kdawson</author>
	<datestamp>1265107260000</datestamp>
	<htmltext>Josh Triplett writes <i>"Last October, Mozilla <a href="http://lwn.net/Articles/372264/">accepted the China Internet Network Information Center</a> as a trusted CA root (<a href="https://bugzilla.mozilla.org/show\_bug.cgi?id=476766">Bugzilla entry</a>). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the <a href="http://groups.google.com/group/mozilla.dev.security.policy/browse\_thread/thread/17be3bd7e0b33e8c">associated discussion</a> have presented evidence that the Chinese government controls CNNIC, and surfaced claims of <a href="http://en.wikipedia.org/wiki/China\_Internet\_Network\_Information\_Center#Malware\_Production\_And\_Distribution">malware production and distribution</a> and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."</i></htmltext>
<tokenext>Josh Triplett writes " Last October , Mozilla accepted the China Internet Network Information Center as a trusted CA root ( Bugzilla entry ) .
This affects Firefox , Thunderbird , and other products built on Mozilla technologies .
The standard period for discussion passed without comment , and Mozilla accepted CNNIC based on the results of a formal audit .
Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC , and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust .
As usual , please refrain from blindly chiming into the discussion without supporting evidence .
Since Mozilla has already accepted CNNIC as a trusted root CA , the burden rests with those who argue for its removal .
"</tokentext>
<sentencetext>Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry).
This affects Firefox, Thunderbird, and other products built on Mozilla technologies.
The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit.
Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust.
As usual, please refrain from blindly chiming into the discussion without supporting evidence.
Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004104</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>eclectro</author>
	<datestamp>1265121900000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>Wow, youre so new here, youre still dripping wet and covered in placenta.</p></div><p>And a Chinese, heavy metal laden one, at that.</p></div>
	</htmltext>
<tokenext>Wow , youre so new here , youre still dripping wet and covered in placenta.And a Chinese , heavy metal laden one , at that .</tokentext>
<sentencetext>Wow, youre so new here, youre still dripping wet and covered in placenta.And a Chinese, heavy metal laden one, at that.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260</id>
	<title>Given they've bowed to Chinese pressure</title>
	<author>sethstorm</author>
	<datestamp>1265111040000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>...is there a straightforward way to mark CNNIC as untrusted?</p></htmltext>
<tokenext>...is there a straightforward way to mark CNNIC as untrusted ?</tokentext>
<sentencetext>...is there a straightforward way to mark CNNIC as untrusted?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003152</id>
	<title>Re:Relative security of self-signed certificates</title>
	<author>Anonymous</author>
	<datestamp>1265115960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Perhaps merging a PGP-like web of trust interlink with SSL security.  So, if a close friend trusts foo.com as a CA, then the Web browser would assume that.  If a friend dislikes blarf.com, the Web browser will pop up something saying that the CA isn't that liked among friends.</p><p>Problem is that for<nobr> <wbr></nobr>/. readers, a system like this would make perfect sense.  However, most people seem to just want to connect to a site, see a little padlock icon and assume that they can log into their bank safely.  They don't care about CAs, web of trusts, CRLs, SLCs... just that they can access whatever with some reasonable security.</p></htmltext>
<tokenext>Perhaps merging a PGP-like web of trust interlink with SSL security .
So , if a close friend trusts foo.com as a CA , then the Web browser would assume that .
If a friend dislikes blarf.com , the Web browser will pop up something saying that the CA is n't that liked among friends.Problem is that for / .
readers , a system like this would make perfect sense .
However , most people seem to just want to connect to a site , see a little padlock icon and assume that they can log into their bank safely .
They do n't care about CAs , web of trusts , CRLs , SLCs... just that they can access whatever with some reasonable security .</tokentext>
<sentencetext>Perhaps merging a PGP-like web of trust interlink with SSL security.
So, if a close friend trusts foo.com as a CA, then the Web browser would assume that.
If a friend dislikes blarf.com, the Web browser will pop up something saying that the CA isn't that liked among friends.Problem is that for /.
readers, a system like this would make perfect sense.
However, most people seem to just want to connect to a site, see a little padlock icon and assume that they can log into their bank safely.
They don't care about CAs, web of trusts, CRLs, SLCs... just that they can access whatever with some reasonable security.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003058</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>jcoy42</author>
	<datestamp>1265115420000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?  </p></div><p>Because Mozilla is capable of doing it and most computer users are (effectively) not.</p><p>Because we care about what happens to the internet.</p><p>Because it's going to be our mom's machine, and we'll have to fix it.</p></div>
	</htmltext>
<tokenext>Why should I let Mozilla , a large group with contradictory desires and many masters , control whether I delist it as a trusted root ?
Because Mozilla is capable of doing it and most computer users are ( effectively ) not.Because we care about what happens to the internet.Because it 's going to be our mom 's machine , and we 'll have to fix it .</tokentext>
<sentencetext>Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Because Mozilla is capable of doing it and most computer users are (effectively) not.Because we care about what happens to the internet.Because it's going to be our mom's machine, and we'll have to fix it.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008172</id>
	<title>Re:Something more substantial than Wikipedia ?</title>
	<author>Dahan</author>
	<datestamp>1264941300000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>Agreed--I'd like to see some real evidence too (Chinese language is fine). As far as I can tell, this is the story: CNNIC does have a "<a href="http://www.cnnic.net.cn/html/Dir/2003/10/11/0670.htm" title="cnnic.net.cn">Chinese Language Surfing</a> [cnnic.net.cn]" product, which enables the use of Chinese domain names, among other things. (ICANN approved non-ASCII ccTLDs late last year, but the Chinese have been using browser plugins and the like to get the same effect for years. This probably isn't the best article about it, but it was what came up when I tried to search for an article that explained it: <a href="http://www.circleid.com/posts/chinas\_new\_domain\_names\_lost\_in\_translation/" title="circleid.com">China's New Domain Names: Lost in Translation</a> [circleid.com].)
</p><p>AFAICT, "Chinese Language Surfing" isn't malware--it does what it says it does. However, it does seem unusually protective of itself once installed--but not to the point that the uninstaller doesn't work. Also, while CNNIC doesn't endorse this, apparently "Chinese Language Surfing" gets automatically installed (without user consent) by other programs. This has led to some antimalware-software vendors listing it as malware. E.g., MS calls it <a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=BrowserModifier\%3AWin32\%2FCNNIC" title="microsoft.com">BrowserModifier:Win32/CNNIC</a> [microsoft.com], and has this to say about it:</p><blockquote><div><p>BrowserModifier:Win32/CNNIC enables Chinese keyword searching in Internet Explorer and adds support for other applications to use Chinese domain names that registered with CNNIC (China Internet Network Information Center). This program is often installed as part of a shareware or freeware program, with or without user consent. BrowserModifier:Win32/CNNIC also contains a kernel driver that protects its files and registry settings from being modified or deleted. The program also includes automatic self-update functionality.</p></div></blockquote><p>FWIW, I tried installing CNNIC's product in a virtual machine while running Sysinternals' ProcMon, and didn't spot anything super-suspicious--it did install a driver as MS said, which did seem excessive. And it did add a menu item to IE, but it didn't cause me to get any more popup ads. Seemed well-behaved, as far as I could tell (not that I spent much time with it). I then uninstalled it, and it seemed to remove itself cleanly, including the driver.</p><p>Personally, I would definitely be annoyed if it got installed without my consent, but the program itself does not meet my definition of "malware". Now if anyone has evidence that it's secretly nefarious and does more than what it claims to, please post the details.</p></div>
	</htmltext>
<tokenext>Agreed--I 'd like to see some real evidence too ( Chinese language is fine ) .
As far as I can tell , this is the story : CNNIC does have a " Chinese Language Surfing [ cnnic.net.cn ] " product , which enables the use of Chinese domain names , among other things .
( ICANN approved non-ASCII ccTLDs late last year , but the Chinese have been using browser plugins and the like to get the same effect for years .
This probably is n't the best article about it , but it was what came up when I tried to search for an article that explained it : China 's New Domain Names : Lost in Translation [ circleid.com ] .
) AFAICT , " Chinese Language Surfing " is n't malware--it does what it says it does .
However , it does seem unusually protective of itself once installed--but not to the point that the uninstaller does n't work .
Also , while CNNIC does n't endorse this , apparently " Chinese Language Surfing " gets automatically installed ( without user consent ) by other programs .
This has led to some antimalware-software vendors listing it as malware .
E.g. , MS calls it BrowserModifier : Win32/CNNIC [ microsoft.com ] , and has this to say about it : BrowserModifier : Win32/CNNIC enables Chinese keyword searching in Internet Explorer and adds support for other applications to use Chinese domain names that registered with CNNIC ( China Internet Network Information Center ) .
This program is often installed as part of a shareware or freeware program , with or without user consent .
BrowserModifier : Win32/CNNIC also contains a kernel driver that protects its files and registry settings from being modified or deleted .
The program also includes automatic self-update functionality.FWIW , I tried installing CNNIC 's product in a virtual machine while running Sysinternals ' ProcMon , and did n't spot anything super-suspicious--it did install a driver as MS said , which did seem excessive .
And it did add a menu item to IE , but it did n't cause me to get any more popup ads .
Seemed well-behaved , as far as I could tell ( not that I spent much time with it ) .
I then uninstalled it , and it seemed to remove itself cleanly , including the driver.Personally , I would definitely be annoyed if it got installed without my consent , but the program itself does not meet my definition of " malware " .
Now if anyone has evidence that it 's secretly nefarious and does more than what it claims to , please post the details .</tokentext>
<sentencetext>Agreed--I'd like to see some real evidence too (Chinese language is fine).
As far as I can tell, this is the story: CNNIC does have a "Chinese Language Surfing [cnnic.net.cn]" product, which enables the use of Chinese domain names, among other things.
(ICANN approved non-ASCII ccTLDs late last year, but the Chinese have been using browser plugins and the like to get the same effect for years.
This probably isn't the best article about it, but it was what came up when I tried to search for an article that explained it: China's New Domain Names: Lost in Translation [circleid.com].
)
AFAICT, "Chinese Language Surfing" isn't malware--it does what it says it does.
However, it does seem unusually protective of itself once installed--but not to the point that the uninstaller doesn't work.
Also, while CNNIC doesn't endorse this, apparently "Chinese Language Surfing" gets automatically installed (without user consent) by other programs.
This has led to some antimalware-software vendors listing it as malware.
E.g., MS calls it BrowserModifier:Win32/CNNIC [microsoft.com], and has this to say about it:BrowserModifier:Win32/CNNIC enables Chinese keyword searching in Internet Explorer and adds support for other applications to use Chinese domain names that registered with CNNIC (China Internet Network Information Center).
This program is often installed as part of a shareware or freeware program, with or without user consent.
BrowserModifier:Win32/CNNIC also contains a kernel driver that protects its files and registry settings from being modified or deleted.
The program also includes automatic self-update functionality.FWIW, I tried installing CNNIC's product in a virtual machine while running Sysinternals' ProcMon, and didn't spot anything super-suspicious--it did install a driver as MS said, which did seem excessive.
And it did add a menu item to IE, but it didn't cause me to get any more popup ads.
Seemed well-behaved, as far as I could tell (not that I spent much time with it).
I then uninstalled it, and it seemed to remove itself cleanly, including the driver.Personally, I would definitely be annoyed if it got installed without my consent, but the program itself does not meet my definition of "malware".
Now if anyone has evidence that it's secretly nefarious and does more than what it claims to, please post the details.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004066</id>
	<title>What is trust?</title>
	<author>ugen</author>
	<datestamp>1265121540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If you never had a chance to look at a root CA list in your browser - now may be the time. Open advanced encryption preferences and look at certificate list. These are, normally, all the CAs that your browser trusts to sign certificates for other sites (or for other signers and so on and so forth). Now - do you know who they are?<br>FWIW I have never heard of most of these names, and have no reason to trust them or anything they do. The names that I know don't exactly give me the "warm and fuzzy" feeling. Equifax - the company that violates my privacy by enabling extraneous information collection, keeps bogus information on my credit report and is notoriously impossible to deal with? I won't trust them any further than I can throw them.</p><p>So China's another CA - big deal. Frankly, Scarlet, I don't give a damn. My browser will gladly accept certificates from anyone for all I care and the entire concept of "trust" is meaningless if I don't *really* trust these guys.</p><p>The CA is dead, let it go.</p></htmltext>
<tokenext>If you never had a chance to look at a root CA list in your browser - now may be the time .
Open advanced encryption preferences and look at certificate list .
These are , normally , all the CAs that your browser trusts to sign certificates for other sites ( or for other signers and so on and so forth ) .
Now - do you know who they are ? FWIW I have never heard of most of these names , and have no reason to trust them or anything they do .
The names that I know do n't exactly give me the " warm and fuzzy " feeling .
Equifax - the company that violates my privacy by enabling extraneous information collection , keeps bogus information on my credit report and is notoriously impossible to deal with ?
I wo n't trust them any further than I can throw them.So China 's another CA - big deal .
Frankly , Scarlet , I do n't give a damn .
My browser will gladly accept certificates from anyone for all I care and the entire concept of " trust " is meaningless if I do n't * really * trust these guys.The CA is dead , let it go .</tokentext>
<sentencetext>If you never had a chance to look at a root CA list in your browser - now may be the time.
Open advanced encryption preferences and look at certificate list.
These are, normally, all the CAs that your browser trusts to sign certificates for other sites (or for other signers and so on and so forth).
Now - do you know who they are?FWIW I have never heard of most of these names, and have no reason to trust them or anything they do.
The names that I know don't exactly give me the "warm and fuzzy" feeling.
Equifax - the company that violates my privacy by enabling extraneous information collection, keeps bogus information on my credit report and is notoriously impossible to deal with?
I won't trust them any further than I can throw them.So China's another CA - big deal.
Frankly, Scarlet, I don't give a damn.
My browser will gladly accept certificates from anyone for all I care and the entire concept of "trust" is meaningless if I don't *really* trust these guys.The CA is dead, let it go.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003534</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>maugle</author>
	<datestamp>1265117940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA?</p></div><p>You forgot Australia.
<br> <br>Also, our government doesn't obsessively monitor everyone (Brits), attempt to cram a "3-strikes" law down our throats (French), or attempt to track down dissidents and make them "disappear" (Iranians, Chinese).  So, yes, we are the good guys here, relatively speaking.</p></div>
	</htmltext>
<tokenext>What about the Brits , who want to monitor everything ?
What about the French , who want to kick people off the net for misbehaving ?
What about Iran , who wants to kick out everyone ?
Do you really think the USA looks like the good guys to the rest of the 'net ?
Who gave the world Microsoft , and the RIAA , and the MPAA ? You forgot Australia .
Also , our government does n't obsessively monitor everyone ( Brits ) , attempt to cram a " 3-strikes " law down our throats ( French ) , or attempt to track down dissidents and make them " disappear " ( Iranians , Chinese ) .
So , yes , we are the good guys here , relatively speaking .</tokentext>
<sentencetext>What about the Brits, who want to monitor everything?
What about the French, who want to kick people off the net for misbehaving?
What about Iran, who wants to kick out everyone?
Do you really think the USA looks like the good guys to the rest of the 'net?
Who gave the world Microsoft, and the RIAA, and the MPAA?You forgot Australia.
Also, our government doesn't obsessively monitor everyone (Brits), attempt to cram a "3-strikes" law down our throats (French), or attempt to track down dissidents and make them "disappear" (Iranians, Chinese).
So, yes, we are the good guys here, relatively speaking.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008372</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>Yvanhoe</author>
	<datestamp>1264943940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Wait a minute... <br>
From what I understand, it mainly means that when a website is certified by CNNIC, it will appear in Mozilla software as being indeed certified by CNNIC. Mozilla is not in the certification and trust management business. From my point of view, I don't see why they should refuse any organization with a verifiable physical address that is not trying to fool people by using similar names like "Paypel". Users will have to learn how a trust network works and who they trust when they do transactions or secure connections. There is no way around it.</htmltext>
<tokenext>Wait a minute.. . From what I understand , it mainly means that when a website is certified by CNNIC , it will appear in Mozilla software as being indeed certified by CNNIC .
Mozilla is not in the certification and trust management business .
From my point of view , I do n't see why they should refuse any organization with a verifiable physical address that is not trying to fool people by using similar names like " Paypel " .
Users will have to learn how a trust network works and who they trust when they do transactions or secure connections .
There is no way around it .</tokentext>
<sentencetext>Wait a minute... 
From what I understand, it mainly means that when a website is certified by CNNIC, it will appear in Mozilla software as being indeed certified by CNNIC.
Mozilla is not in the certification and trust management business.
From my point of view, I don't see why they should refuse any organization with a verifiable physical address that is not trying to fool people by using similar names like "Paypel".
Users will have to learn how a trust network works and who they trust when they do transactions or secure connections.
There is no way around it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004046</id>
	<title>Re:Disagree with the premise.</title>
	<author>yttrstein</author>
	<datestamp>1265121480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I know I don't agree with this.  The burden rests with me personally actually, to simply continue not using Firefox.</htmltext>
<tokenext>I know I do n't agree with this .
The burden rests with me personally actually , to simply continue not using Firefox .</tokentext>
<sentencetext>I know I don't agree with this.
The burden rests with me personally actually, to simply continue not using Firefox.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002502</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003188</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>bill\_mcgonigle</author>
	<datestamp>1265116140000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext><p>He means, "please don't spam the Bugzilla comments unless you have something constructive to add."  BMO used to block all slashdot referers at one point...</p></htmltext>
<tokenext>He means , " please do n't spam the Bugzilla comments unless you have something constructive to add .
" BMO used to block all slashdot referers at one point.. .</tokentext>
<sentencetext>He means, "please don't spam the Bugzilla comments unless you have something constructive to add.
"  BMO used to block all slashdot referers at one point...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004630</id>
	<title>CNNIC is untrustable</title>
	<author>Anonymous</author>
	<datestamp>1265125260000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I am chinese web engineer. CNNIC is untrustable. I had delete CNNIC root and Entrust Root both Firefox and IE.</p></htmltext>
<tokenext>I am chinese web engineer .
CNNIC is untrustable .
I had delete CNNIC root and Entrust Root both Firefox and IE .</tokentext>
<sentencetext>I am chinese web engineer.
CNNIC is untrustable.
I had delete CNNIC root and Entrust Root both Firefox and IE.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002588</id>
	<title>And I thought the burden fell upon...</title>
	<author>carlhaagen</author>
	<datestamp>1265112960000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>-1</modscore>
	<htmltext>...every damned user of FailFox. You're such a jackass, Josh Triplett.</htmltext>
<tokenext>...every damned user of FailFox .
You 're such a jackass , Josh Triplett .</tokentext>
<sentencetext>...every damned user of FailFox.
You're such a jackass, Josh Triplett.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004382</id>
	<title>Re:Given they've bowed to Chinese pressure</title>
	<author>Culture20</author>
	<datestamp>1265123820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Conversely, is there a way to automate root cert imports into FF across tons of machines?</htmltext>
<tokenext>Conversely , is there a way to automate root cert imports into FF across tons of machines ?</tokentext>
<sentencetext>Conversely, is there a way to automate root cert imports into FF across tons of machines?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008366</id>
	<title>CNNIC is evil</title>
	<author>Jesus IS the Devil</author>
	<datestamp>1264943880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I've had first-hand experience with CCNIC that ought to put things into perspective. I registered a domain name at Godaddy, and also registered a couple of DNS servers.  Use of these registered DNS servers worked flawlessly, until I had to set them for Chinese clients who had registered their domains via net.cn.  They were unable to set these DNS servers because the system kept telling them the DNS servers were invalid.  Upon calling net.cn's tech support, the client was told to talk to CNNIC.</p><p>So, I spoke to CNNIC on behalf of the client, and was basically told to go talk to Godaddy, and that Godaddy would contact CNNIC and know what to do.  I thought this was odd, but sent a support ticket to Godaddy. They confirmed that the DNS servers in question had absolutely no problems and I was even sent a link verifying this over at ICANN, which is an internationally accepted organization for domain names.</p><p>I tried CNNIC again and told them that my DNS servers were valid and registered, even recognized by ICANN.  I was rebuffed and basically told to go talk to Godaddy again.  A few rounds of this with various people resulted in absoF*kinglutely no results.  I think Godaddy is right in this case. There's nobody to talk to. The DNS servers are in-fact valid.</p><p>What I was told instead, was to go to net.cn and purchase another domain name from there, then pay 10RMB per DNS server for that new domain.  I ended up having to do exactly that, to solve this problem.</p><p>After this ordeal, I am certain that CNNIC is in fact as evil as they come.  They don't care about international standards, just what their omnipotent bosses tell to to do.</p></htmltext>
<tokenext>I 've had first-hand experience with CCNIC that ought to put things into perspective .
I registered a domain name at Godaddy , and also registered a couple of DNS servers .
Use of these registered DNS servers worked flawlessly , until I had to set them for Chinese clients who had registered their domains via net.cn .
They were unable to set these DNS servers because the system kept telling them the DNS servers were invalid .
Upon calling net.cn 's tech support , the client was told to talk to CNNIC.So , I spoke to CNNIC on behalf of the client , and was basically told to go talk to Godaddy , and that Godaddy would contact CNNIC and know what to do .
I thought this was odd , but sent a support ticket to Godaddy .
They confirmed that the DNS servers in question had absolutely no problems and I was even sent a link verifying this over at ICANN , which is an internationally accepted organization for domain names.I tried CNNIC again and told them that my DNS servers were valid and registered , even recognized by ICANN .
I was rebuffed and basically told to go talk to Godaddy again .
A few rounds of this with various people resulted in absoF * kinglutely no results .
I think Godaddy is right in this case .
There 's nobody to talk to .
The DNS servers are in-fact valid.What I was told instead , was to go to net.cn and purchase another domain name from there , then pay 10RMB per DNS server for that new domain .
I ended up having to do exactly that , to solve this problem.After this ordeal , I am certain that CNNIC is in fact as evil as they come .
They do n't care about international standards , just what their omnipotent bosses tell to to do .</tokentext>
<sentencetext>I've had first-hand experience with CCNIC that ought to put things into perspective.
I registered a domain name at Godaddy, and also registered a couple of DNS servers.
Use of these registered DNS servers worked flawlessly, until I had to set them for Chinese clients who had registered their domains via net.cn.
They were unable to set these DNS servers because the system kept telling them the DNS servers were invalid.
Upon calling net.cn's tech support, the client was told to talk to CNNIC.So, I spoke to CNNIC on behalf of the client, and was basically told to go talk to Godaddy, and that Godaddy would contact CNNIC and know what to do.
I thought this was odd, but sent a support ticket to Godaddy.
They confirmed that the DNS servers in question had absolutely no problems and I was even sent a link verifying this over at ICANN, which is an internationally accepted organization for domain names.I tried CNNIC again and told them that my DNS servers were valid and registered, even recognized by ICANN.
I was rebuffed and basically told to go talk to Godaddy again.
A few rounds of this with various people resulted in absoF*kinglutely no results.
I think Godaddy is right in this case.
There's nobody to talk to.
The DNS servers are in-fact valid.What I was told instead, was to go to net.cn and purchase another domain name from there, then pay 10RMB per DNS server for that new domain.
I ended up having to do exactly that, to solve this problem.After this ordeal, I am certain that CNNIC is in fact as evil as they come.
They don't care about international standards, just what their omnipotent bosses tell to to do.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006118</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>jsepeta</author>
	<datestamp>1265135040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Fuck China. How do we block the Chinese from getting into our webservers and browsers? enquiring minds want to know.</p></htmltext>
<tokenext>Fuck China .
How do we block the Chinese from getting into our webservers and browsers ?
enquiring minds want to know .</tokentext>
<sentencetext>Fuck China.
How do we block the Chinese from getting into our webservers and browsers?
enquiring minds want to know.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006636</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>Anonymous</author>
	<datestamp>1265140320000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I just checked on my Win7 install and CNNIC is *NOT* in the trusted root CA list for my computer or user account. Perhaps something (Firefox?) added it to your listed of trusted CAs?</p></htmltext>
<tokenext>I just checked on my Win7 install and CNNIC is * NOT * in the trusted root CA list for my computer or user account .
Perhaps something ( Firefox ?
) added it to your listed of trusted CAs ?</tokentext>
<sentencetext>I just checked on my Win7 install and CNNIC is *NOT* in the trusted root CA list for my computer or user account.
Perhaps something (Firefox?
) added it to your listed of trusted CAs?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31011132</id>
	<title>Mozilla is no longer trustworthy</title>
	<author>Ant P.</author>
	<datestamp>1264958880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This is security theatre of the worst kind. Their whole (and only plausible) excuse for doing this is that nobody can pretend to be CNNIC over https now; given the reactions of people familiar with CNNIC I wonder why the hell anyone would in the first place.</p><p>Now thanks to a <em>complete and utter retard</em> at Mozilla <a href="https://bugzilla.mozilla.org/show\_bug.cgi?id=476766#c14" title="mozilla.org">blithely following a script</a> [mozilla.org] without regard to the real world consequences, everyone gets to live with those consequences: hundreds of millions of net users who more often than not blindly click Yes to anything, who have been trained to associate a blue/green address bar with "safe".</p><p>Thanks for making the internet a "safer" place, Mozilla. Ugh.</p></htmltext>
<tokenext>This is security theatre of the worst kind .
Their whole ( and only plausible ) excuse for doing this is that nobody can pretend to be CNNIC over https now ; given the reactions of people familiar with CNNIC I wonder why the hell anyone would in the first place.Now thanks to a complete and utter retard at Mozilla blithely following a script [ mozilla.org ] without regard to the real world consequences , everyone gets to live with those consequences : hundreds of millions of net users who more often than not blindly click Yes to anything , who have been trained to associate a blue/green address bar with " safe " .Thanks for making the internet a " safer " place , Mozilla .
Ugh .</tokentext>
<sentencetext>This is security theatre of the worst kind.
Their whole (and only plausible) excuse for doing this is that nobody can pretend to be CNNIC over https now; given the reactions of people familiar with CNNIC I wonder why the hell anyone would in the first place.Now thanks to a complete and utter retard at Mozilla blithely following a script [mozilla.org] without regard to the real world consequences, everyone gets to live with those consequences: hundreds of millions of net users who more often than not blindly click Yes to anything, who have been trained to associate a blue/green address bar with "safe".Thanks for making the internet a "safer" place, Mozilla.
Ugh.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31010098</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>jonadab</author>
	<datestamp>1264954800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>&gt; Doesn't Firefox warn you if a key for a certain<br>&gt; domain suddenly changes to something different?<br><br>No, it doesn't.  To my knowledge, no browser does.<br><br>It's like I've been saying for at least a couple of years:  SSL can in theory provide meaningful data security, but HTTPS uses it incorrectly (in several ways; failure to complain when a cert changes is only one of several problems) and therefore does *not* provide meaningful security.<br><br>If you want to transfer some data *securely*, you should not use https.  There are much better options, e.g., scp.<br><br>To be absolutely fully blunt, HTTPS is not significantly more secure than plain old HTTP.<br><br>Note that this doesn't stop me from placing orders online.  I just send a check -- which is what I would do anyway, because even if the information *transfer* were completely secure I still wouldn't trust somebody else's servers with information that would allow anyone who breaks in to take arbitrary amounts of money from me.  (Amazon recently lost my business, because they will no longer let you just send a check for one purchase.  They now want to store your checking account numbers.  That's just as risky to me as giving them credit card numbers to store.  No thanks.  I'll find someone else to buy from.)<br><br>The insecurity of https does stop me from doing online banking, but I wouldn't be doing that anyway, because my bank is too small to set up their own online banking and chose to outsource it to some outfit operating out of an obscure archipelago in the Indian Ocean.  I'm sure the outfit is legit and above-board or my bank wouldn't be using them, but I'm still not comfortable trusting my money to an outfit operating in a jurisdiction where I would have no real recourse if they ever caused me problems.  So I don't do online banking.  Small loss: my finances aren't that complicated, and the bank is a grand total of five blocks from my house.</htmltext>
<tokenext>&gt; Does n't Firefox warn you if a key for a certain &gt; domain suddenly changes to something different ? No , it does n't .
To my knowledge , no browser does.It 's like I 've been saying for at least a couple of years : SSL can in theory provide meaningful data security , but HTTPS uses it incorrectly ( in several ways ; failure to complain when a cert changes is only one of several problems ) and therefore does * not * provide meaningful security.If you want to transfer some data * securely * , you should not use https .
There are much better options , e.g. , scp.To be absolutely fully blunt , HTTPS is not significantly more secure than plain old HTTP.Note that this does n't stop me from placing orders online .
I just send a check -- which is what I would do anyway , because even if the information * transfer * were completely secure I still would n't trust somebody else 's servers with information that would allow anyone who breaks in to take arbitrary amounts of money from me .
( Amazon recently lost my business , because they will no longer let you just send a check for one purchase .
They now want to store your checking account numbers .
That 's just as risky to me as giving them credit card numbers to store .
No thanks .
I 'll find someone else to buy from .
) The insecurity of https does stop me from doing online banking , but I would n't be doing that anyway , because my bank is too small to set up their own online banking and chose to outsource it to some outfit operating out of an obscure archipelago in the Indian Ocean .
I 'm sure the outfit is legit and above-board or my bank would n't be using them , but I 'm still not comfortable trusting my money to an outfit operating in a jurisdiction where I would have no real recourse if they ever caused me problems .
So I do n't do online banking .
Small loss : my finances are n't that complicated , and the bank is a grand total of five blocks from my house .</tokentext>
<sentencetext>&gt; Doesn't Firefox warn you if a key for a certain&gt; domain suddenly changes to something different?No, it doesn't.
To my knowledge, no browser does.It's like I've been saying for at least a couple of years:  SSL can in theory provide meaningful data security, but HTTPS uses it incorrectly (in several ways; failure to complain when a cert changes is only one of several problems) and therefore does *not* provide meaningful security.If you want to transfer some data *securely*, you should not use https.
There are much better options, e.g., scp.To be absolutely fully blunt, HTTPS is not significantly more secure than plain old HTTP.Note that this doesn't stop me from placing orders online.
I just send a check -- which is what I would do anyway, because even if the information *transfer* were completely secure I still wouldn't trust somebody else's servers with information that would allow anyone who breaks in to take arbitrary amounts of money from me.
(Amazon recently lost my business, because they will no longer let you just send a check for one purchase.
They now want to store your checking account numbers.
That's just as risky to me as giving them credit card numbers to store.
No thanks.
I'll find someone else to buy from.
)The insecurity of https does stop me from doing online banking, but I wouldn't be doing that anyway, because my bank is too small to set up their own online banking and chose to outsource it to some outfit operating out of an obscure archipelago in the Indian Ocean.
I'm sure the outfit is legit and above-board or my bank wouldn't be using them, but I'm still not comfortable trusting my money to an outfit operating in a jurisdiction where I would have no real recourse if they ever caused me problems.
So I don't do online banking.
Small loss: my finances aren't that complicated, and the bank is a grand total of five blocks from my house.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005850</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004030</id>
	<title>How Many Self-signed Certificates We Talking?</title>
	<author>Anonymous</author>
	<datestamp>1265121420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>For my personal use, I don't have a problem with the suspicion of self-signed certs. I don't intend any visitors to my https service other than the ones I personally invite, and I can guide them through the security exception process. Obviously, I'm not running a business.</p><p>I disagree with the parent regarding the proliferation of CAs. It's true that added CAs add to the points of potential compromise. But, they're a drop in the bucket compared to the flood of self-signs we'd be dealing with. Then we'd <b>really</b> be talking compromise, to the point where if the site wasn't some heavy hitter brand, we'd have next to zero confidence in the value of the https connection overhead.</p></htmltext>
<tokenext>For my personal use , I do n't have a problem with the suspicion of self-signed certs .
I do n't intend any visitors to my https service other than the ones I personally invite , and I can guide them through the security exception process .
Obviously , I 'm not running a business.I disagree with the parent regarding the proliferation of CAs .
It 's true that added CAs add to the points of potential compromise .
But , they 're a drop in the bucket compared to the flood of self-signs we 'd be dealing with .
Then we 'd really be talking compromise , to the point where if the site was n't some heavy hitter brand , we 'd have next to zero confidence in the value of the https connection overhead .</tokentext>
<sentencetext>For my personal use, I don't have a problem with the suspicion of self-signed certs.
I don't intend any visitors to my https service other than the ones I personally invite, and I can guide them through the security exception process.
Obviously, I'm not running a business.I disagree with the parent regarding the proliferation of CAs.
It's true that added CAs add to the points of potential compromise.
But, they're a drop in the bucket compared to the flood of self-signs we'd be dealing with.
Then we'd really be talking compromise, to the point where if the site wasn't some heavy hitter brand, we'd have next to zero confidence in the value of the https connection overhead.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004680</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>FreelanceWizard</author>
	<datestamp>1265125500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Bear in mind that the certificate store in Windows is shared across multiple applications. I don't have Firefox installed on my fully-patched Windows 7 Professional machine, and I don't have the CNNIC Root certificate in any of my certificate stores. If you have it, you've installed something that's added it or upgraded from a version of the OS that's trusted it. It most definitely isn't something that Windows trusts by default.</p><p>My MBP isn't handy, so I can't check and see if OS X has it by default; my MBP has a tiny OS X partition I only use for software and firmware updates, so it's as close to a stock install as you can get.</p></htmltext>
<tokenext>Bear in mind that the certificate store in Windows is shared across multiple applications .
I do n't have Firefox installed on my fully-patched Windows 7 Professional machine , and I do n't have the CNNIC Root certificate in any of my certificate stores .
If you have it , you 've installed something that 's added it or upgraded from a version of the OS that 's trusted it .
It most definitely is n't something that Windows trusts by default.My MBP is n't handy , so I ca n't check and see if OS X has it by default ; my MBP has a tiny OS X partition I only use for software and firmware updates , so it 's as close to a stock install as you can get .</tokentext>
<sentencetext>Bear in mind that the certificate store in Windows is shared across multiple applications.
I don't have Firefox installed on my fully-patched Windows 7 Professional machine, and I don't have the CNNIC Root certificate in any of my certificate stores.
If you have it, you've installed something that's added it or upgraded from a version of the OS that's trusted it.
It most definitely isn't something that Windows trusts by default.My MBP isn't handy, so I can't check and see if OS X has it by default; my MBP has a tiny OS X partition I only use for software and firmware updates, so it's as close to a stock install as you can get.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31014512</id>
	<title>The whole PKI business is a scam...</title>
	<author>tpg0007</author>
	<datestamp>1264930800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It's just a way to lure Joe Average into a false sense of security. It really shouldn't be any more difficult for someone with a minimal amount of effort to obtain a legit SSL cert from say VeriSign who then uses it for evil. However it's the best scam we have so...

My suggestion is to put geographic or political limitations on a trust root's clients. It shouldn't make sense for say an Australian bank site to have a cert from CCNIC. Domain name register and the cert's issuer should match in terms of geographic sphere of influence.</htmltext>
<tokenext>It 's just a way to lure Joe Average into a false sense of security .
It really should n't be any more difficult for someone with a minimal amount of effort to obtain a legit SSL cert from say VeriSign who then uses it for evil .
However it 's the best scam we have so.. . My suggestion is to put geographic or political limitations on a trust root 's clients .
It should n't make sense for say an Australian bank site to have a cert from CCNIC .
Domain name register and the cert 's issuer should match in terms of geographic sphere of influence .</tokentext>
<sentencetext>It's just a way to lure Joe Average into a false sense of security.
It really shouldn't be any more difficult for someone with a minimal amount of effort to obtain a legit SSL cert from say VeriSign who then uses it for evil.
However it's the best scam we have so...

My suggestion is to put geographic or political limitations on a trust root's clients.
It shouldn't make sense for say an Australian bank site to have a cert from CCNIC.
Domain name register and the cert's issuer should match in terms of geographic sphere of influence.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002600</id>
	<title>How do I mark all CAs in Firefox untrusted?</title>
	<author>Anonymous</author>
	<datestamp>1265113020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>How do I mark all CAs in Firefox untrusted?<br>There has to be a better way than change each one manually.</p></htmltext>
<tokenext>How do I mark all CAs in Firefox untrusted ? There has to be a better way than change each one manually .</tokentext>
<sentencetext>How do I mark all CAs in Firefox untrusted?There has to be a better way than change each one manually.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550</id>
	<title>Relative security of self-signed certificates</title>
	<author>Anonymous</author>
	<datestamp>1265112720000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.</p><p>Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:</p><p>Why are self-signed certificates viewed with such relative suspicion?</p><p>It only takes a single compromised or misled CA to bypass the entire trust system.  The more CAs we have, the easier it is to compromise the system.</p><p>Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)?  Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA?  (And it <i>is</i> effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)</p><p>As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.</p></htmltext>
<tokenext>I have nothing against additional certificate authorities ; it makes sense in most situations not to give all the power to a single party.Nonetheless , the large number of accepted authorities raises serious questions about another aspect of browser security : Why are self-signed certificates viewed with such relative suspicion ? It only takes a single compromised or misled CA to bypass the entire trust system .
The more CAs we have , the easier it is to compromise the system.Why , then , do we make it so difficult for sites to implement security against passive plaintext snooping ( which is arguably much more of a threat in most situations , discounting targeted attacks ) ?
Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA ?
( And it is effectively unavailable , since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act .
) As CAs proliferate , it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk , as we add more CAs and thus more individual points where the system may be compromised .</tokentext>
<sentencetext>I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:Why are self-signed certificates viewed with such relative suspicion?It only takes a single compromised or misled CA to bypass the entire trust system.
The more CAs we have, the easier it is to compromise the system.Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)?
Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA?
(And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.
)As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006734</id>
	<title>Re:Relative security of self-signed certificates</title>
	<author>Anonymous</author>
	<datestamp>1264968420000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>If I worked for the NSA, that's exactly the situation I would strive for: support the use of CAs, which can be bullied into giving backdoor access for national security reasons, and try to make the use of self-signed certificates as hard as possible.  There are lots of arguments that can be made in favor of such development both to managers of browser development teams, and on the actual development team mailing lists of open source browsers.  In the case of open source browsers, it would actually be prudent for NSA to support a few professional developers to work on Firefox encryption modules simply to make sure that they are secure against all attacks, while making sure that they unconditionally trust only official certificates from companies such as Verisign which can be easily subverted.  Once you gain the status of a valuable contributor in the open source development team, your arguments for limiting the use of self-signed certificates will carry that much more weight.</p></htmltext>
<tokenext>If I worked for the NSA , that 's exactly the situation I would strive for : support the use of CAs , which can be bullied into giving backdoor access for national security reasons , and try to make the use of self-signed certificates as hard as possible .
There are lots of arguments that can be made in favor of such development both to managers of browser development teams , and on the actual development team mailing lists of open source browsers .
In the case of open source browsers , it would actually be prudent for NSA to support a few professional developers to work on Firefox encryption modules simply to make sure that they are secure against all attacks , while making sure that they unconditionally trust only official certificates from companies such as Verisign which can be easily subverted .
Once you gain the status of a valuable contributor in the open source development team , your arguments for limiting the use of self-signed certificates will carry that much more weight .</tokentext>
<sentencetext>If I worked for the NSA, that's exactly the situation I would strive for: support the use of CAs, which can be bullied into giving backdoor access for national security reasons, and try to make the use of self-signed certificates as hard as possible.
There are lots of arguments that can be made in favor of such development both to managers of browser development teams, and on the actual development team mailing lists of open source browsers.
In the case of open source browsers, it would actually be prudent for NSA to support a few professional developers to work on Firefox encryption modules simply to make sure that they are secure against all attacks, while making sure that they unconditionally trust only official certificates from companies such as Verisign which can be easily subverted.
Once you gain the status of a valuable contributor in the open source development team, your arguments for limiting the use of self-signed certificates will carry that much more weight.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31022818</id>
	<title>I blame...</title>
	<author>DaVince21</author>
	<datestamp>1265301480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I blame the people who might have known about it but didn't comment on this at all during the review stage. If there's some proof showing sites using this certificate are actually releasing malware, though, it's easy enough to have Mozilla reject it again.</p></htmltext>
<tokenext>I blame the people who might have known about it but did n't comment on this at all during the review stage .
If there 's some proof showing sites using this certificate are actually releasing malware , though , it 's easy enough to have Mozilla reject it again .</tokentext>
<sentencetext>I blame the people who might have known about it but didn't comment on this at all during the review stage.
If there's some proof showing sites using this certificate are actually releasing malware, though, it's easy enough to have Mozilla reject it again.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005138</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>yorktown</author>
	<datestamp>1265128140000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving?  All this "evil Chinese" stuff is getting tiresome.</p></div><p>I don't recall a top military official in the U.K. or France threatening to vaporize Los Angeles.  I do recall a high ranking Chinese general making <a href="http://archive.newsmax.com/archives/articles/2002/3/14/133903.shtml" title="newsmax.com" rel="nofollow">that threat</a> [newsmax.com].</p></div>
	</htmltext>
<tokenext>And it extends way beyond China .
I see this as simply another example of " yellow peril " thinking .
What about the Brits , who want to monitor everything ?
What about the French , who want to kick people off the net for misbehaving ?
All this " evil Chinese " stuff is getting tiresome.I do n't recall a top military official in the U.K. or France threatening to vaporize Los Angeles .
I do recall a high ranking Chinese general making that threat [ newsmax.com ] .</tokentext>
<sentencetext>And it extends way beyond China.
I see this as simply another example of "yellow peril" thinking.
What about the Brits, who want to monitor everything?
What about the French, who want to kick people off the net for misbehaving?
All this "evil Chinese" stuff is getting tiresome.I don't recall a top military official in the U.K. or France threatening to vaporize Los Angeles.
I do recall a high ranking Chinese general making that threat [newsmax.com].
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>Anonymous</author>
	<datestamp>1265116680000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>&gt;<nobr> <wbr></nobr>... it extends way beyond firefox.</p><p>And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.</p></htmltext>
<tokenext>&gt; ... it extends way beyond firefox.And it extends way beyond China .
I see this as simply another example of " yellow peril " thinking .
What about the Brits , who want to monitor everything ?
What about the French , who want to kick people off the net for misbehaving ?
What about Iran , who wants to kick out everyone ?
Do you really think the USA looks like the good guys to the rest of the 'net ?
Who gave the world Microsoft , and the RIAA , and the MPAA ?
All this " evil Chinese " stuff is getting tiresome .</tokentext>
<sentencetext>&gt; ... it extends way beyond firefox.And it extends way beyond China.
I see this as simply another example of "yellow peril" thinking.
What about the Brits, who want to monitor everything?
What about the French, who want to kick people off the net for misbehaving?
What about Iran, who wants to kick out everyone?
Do you really think the USA looks like the good guys to the rest of the 'net?
Who gave the world Microsoft, and the RIAA, and the MPAA?
All this "evil Chinese" stuff is getting tiresome.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003658</id>
	<title>How could CNNIC be any worse than all the others?</title>
	<author>Anonymous</author>
	<datestamp>1265118660000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You can already get fake certs you want from other "trusted" CAs. How is this any different? I wish browsers implemented a better way to handle certs. For initial cert check the CA could be ok (better than nothing), but after that browser should remember the cert and alert you if it changes, regardless of how valid the change looks like.</p></htmltext>
<tokenext>You can already get fake certs you want from other " trusted " CAs .
How is this any different ?
I wish browsers implemented a better way to handle certs .
For initial cert check the CA could be ok ( better than nothing ) , but after that browser should remember the cert and alert you if it changes , regardless of how valid the change looks like .</tokentext>
<sentencetext>You can already get fake certs you want from other "trusted" CAs.
How is this any different?
I wish browsers implemented a better way to handle certs.
For initial cert check the CA could be ok (better than nothing), but after that browser should remember the cert and alert you if it changes, regardless of how valid the change looks like.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002652</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>Anonymous</author>
	<datestamp>1265113380000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents.  Nobody's saying you should wait to remove it.  The question is, should it be removed for the safety of others?</p><p>The whole point of root certs is trust.  We trust them to sign certificates which will be used, in turn, to keep our conversations private.  Should CNNIC be trusted to keep conversations private?  That is the question.  Organizations like Mozilla put their own reputations on the line when choosing which root certs to include.  Any abuse by CNNIC will be seen as a security flaw in Mozilla software.  That is the issue.  That is why Mozilla should care. (even if they disagree)</p></htmltext>
<tokenext>At issue here is the ability of the Chinese government to run MiTH attacks on their citizens ( and others ) ( who may have no computer security experience ) and to arrest political dissidents .
Nobody 's saying you should wait to remove it .
The question is , should it be removed for the safety of others ? The whole point of root certs is trust .
We trust them to sign certificates which will be used , in turn , to keep our conversations private .
Should CNNIC be trusted to keep conversations private ?
That is the question .
Organizations like Mozilla put their own reputations on the line when choosing which root certs to include .
Any abuse by CNNIC will be seen as a security flaw in Mozilla software .
That is the issue .
That is why Mozilla should care .
( even if they disagree )</tokentext>
<sentencetext>At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents.
Nobody's saying you should wait to remove it.
The question is, should it be removed for the safety of others?The whole point of root certs is trust.
We trust them to sign certificates which will be used, in turn, to keep our conversations private.
Should CNNIC be trusted to keep conversations private?
That is the question.
Organizations like Mozilla put their own reputations on the line when choosing which root certs to include.
Any abuse by CNNIC will be seen as a security flaw in Mozilla software.
That is the issue.
That is why Mozilla should care.
(even if they disagree)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002468</id>
	<title>Obligatory</title>
	<author>Anonymous</author>
	<datestamp>1265112180000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext><p>Me chinese me play joke me put peepee in your coke.</p></htmltext>
<tokenext>Me chinese me play joke me put peepee in your coke .</tokentext>
<sentencetext>Me chinese me play joke me put peepee in your coke.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006228</id>
	<title>Re:Something more substantial than Wikipedia ?</title>
	<author>Anonymous</author>
	<datestamp>1265136060000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>from:<br><a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=BrowserModifier\%3AWin32\%2FCNNIC" title="microsoft.com" rel="nofollow">http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=BrowserModifier\%3AWin32\%2FCNNIC</a> [microsoft.com]</p><p>Summary<br>BrowserModifier:Win32/CNNIC enables Chinese keyword searching in Internet Explorer and adds support for other applications to use Chinese domain names that registered with CNNIC (China Internet Network Information Center). This program is often installed as part of a shareware or freeware program, with or without user consent. BrowserModifier:Win32/CNNIC also contains a kernel driver that protects its files and registry settings from being modified or deleted. The program also includes automatic self-update functionality.</p></htmltext>
<tokenext>from : http : //www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx ? Name = BrowserModifier \ % 3AWin32 \ % 2FCNNIC [ microsoft.com ] SummaryBrowserModifier : Win32/CNNIC enables Chinese keyword searching in Internet Explorer and adds support for other applications to use Chinese domain names that registered with CNNIC ( China Internet Network Information Center ) .
This program is often installed as part of a shareware or freeware program , with or without user consent .
BrowserModifier : Win32/CNNIC also contains a kernel driver that protects its files and registry settings from being modified or deleted .
The program also includes automatic self-update functionality .</tokentext>
<sentencetext>from:http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=BrowserModifier\%3AWin32\%2FCNNIC [microsoft.com]SummaryBrowserModifier:Win32/CNNIC enables Chinese keyword searching in Internet Explorer and adds support for other applications to use Chinese domain names that registered with CNNIC (China Internet Network Information Center).
This program is often installed as part of a shareware or freeware program, with or without user consent.
BrowserModifier:Win32/CNNIC also contains a kernel driver that protects its files and registry settings from being modified or deleted.
The program also includes automatic self-update functionality.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005118</id>
	<title>Re:Given they've bowed to Chinese pressure</title>
	<author>Anonymous</author>
	<datestamp>1265128080000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>Deleting it does no good for ones that are marked "Builtin Object Token" -- they will come back when you restart. Instead "Edit" it and uncheck the trust boxes. The (lack of) trust settings are stored in your profile so updating Firefox will not affect it.</p><p>To those who don't see it, that's because you are not running Firefox 3.6, the first browser version released since CNNIC was added. The next 3.5. update will probably include it too.</p></htmltext>
<tokenext>Deleting it does no good for ones that are marked " Builtin Object Token " -- they will come back when you restart .
Instead " Edit " it and uncheck the trust boxes .
The ( lack of ) trust settings are stored in your profile so updating Firefox will not affect it.To those who do n't see it , that 's because you are not running Firefox 3.6 , the first browser version released since CNNIC was added .
The next 3.5. update will probably include it too .</tokentext>
<sentencetext>Deleting it does no good for ones that are marked "Builtin Object Token" -- they will come back when you restart.
Instead "Edit" it and uncheck the trust boxes.
The (lack of) trust settings are stored in your profile so updating Firefox will not affect it.To those who don't see it, that's because you are not running Firefox 3.6, the first browser version released since CNNIC was added.
The next 3.5. update will probably include it too.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002332</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31011826</id>
	<title>Re:Disagree with the premise.</title>
	<author>Anonymous</author>
	<datestamp>1264961460000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Agreed - this was a premature and ill-based decision that clearly wasn't based upon historical precedent.</p><p>"Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust."</p><p>This should be more than enough reasonable doubt, sufficient enough for launching investigations and putting a decision like this under the proverbial microscope.</p><p>Something tells me there's more to this situation than what's being published...</p></htmltext>
<tokenext>Agreed - this was a premature and ill-based decision that clearly was n't based upon historical precedent .
" Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC , and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust .
" This should be more than enough reasonable doubt , sufficient enough for launching investigations and putting a decision like this under the proverbial microscope.Something tells me there 's more to this situation than what 's being published.. .</tokentext>
<sentencetext>Agreed - this was a premature and ill-based decision that clearly wasn't based upon historical precedent.
"Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust.
"This should be more than enough reasonable doubt, sufficient enough for launching investigations and putting a decision like this under the proverbial microscope.Something tells me there's more to this situation than what's being published...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002502</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002384</id>
	<title>Re:Given they've bowed to Chinese pressure</title>
	<author>Anonymous</author>
	<datestamp>1265111700000</datestamp>
	<modclass>Funny</modclass>
	<modscore>3</modscore>
	<htmltext><p>Edit -&gt; Preferences -&gt; Advanced -&gt; Encryption -&gt; View Certificates -&gt; Authorities -&gt;<nobr> <wbr></nobr>... -&gt; Profit</p></htmltext>
<tokenext>Edit - &gt; Preferences - &gt; Advanced - &gt; Encryption - &gt; View Certificates - &gt; Authorities - &gt; ... - &gt; Profit</tokentext>
<sentencetext>Edit -&gt; Preferences -&gt; Advanced -&gt; Encryption -&gt; View Certificates -&gt; Authorities -&gt; ... -&gt; Profit</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002900</id>
	<title>So how is this different than the US based certs?</title>
	<author>Anonymous</author>
	<datestamp>1265114640000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><p>I fully expect that the US government can get access to appropriate certs needed for MitM attacks when they want. It isn't hard for them to pressure US based companies to do that.<br>For the unwashed masses worried about commerce, I doubt the Chinese government has any more interest in messing with that than the US government. For people that are worried about being spied on, they shouldn't be trusting any of those certs on machines used for doing whatever it is that they think might get them in trouble.</p></htmltext>
<tokenext>I fully expect that the US government can get access to appropriate certs needed for MitM attacks when they want .
It is n't hard for them to pressure US based companies to do that.For the unwashed masses worried about commerce , I doubt the Chinese government has any more interest in messing with that than the US government .
For people that are worried about being spied on , they should n't be trusting any of those certs on machines used for doing whatever it is that they think might get them in trouble .</tokentext>
<sentencetext>I fully expect that the US government can get access to appropriate certs needed for MitM attacks when they want.
It isn't hard for them to pressure US based companies to do that.For the unwashed masses worried about commerce, I doubt the Chinese government has any more interest in messing with that than the US government.
For people that are worried about being spied on, they shouldn't be trusting any of those certs on machines used for doing whatever it is that they think might get them in trouble.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002306</id>
	<title>As usual?</title>
	<author>Anonymous</author>
	<datestamp>1265111220000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext><p><div class="quote"><p>As usual, please refrain from blindly chiming into the discussion without supporting evidence</p></div><p>HAHAHAHAHAHAHAHAHAHAHAHAHAHA</p><p>You're stupid.</p><p>Evidence as cited.</p></div>
	</htmltext>
<tokenext>As usual , please refrain from blindly chiming into the discussion without supporting evidenceHAHAHAHAHAHAHAHAHAHAHAHAHAHAYou 're stupid.Evidence as cited .</tokentext>
<sentencetext>As usual, please refrain from blindly chiming into the discussion without supporting evidenceHAHAHAHAHAHAHAHAHAHAHAHAHAHAYou're stupid.Evidence as cited.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002278</id>
	<title>Anonymous Coward</title>
	<author>Anonymous</author>
	<datestamp>1265111100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Now at last we can have signed Firefox Add-ons!</p></htmltext>
<tokenext>Now at last we can have signed Firefox Add-ons !</tokentext>
<sentencetext>Now at last we can have signed Firefox Add-ons!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31012234</id>
	<title>Re:Relative security of self-signed certificates</title>
	<author>emt377</author>
	<datestamp>1264962900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Perhaps merging a PGP-like web of trust interlink with SSL security.  So, if a close friend trusts foo.com as a CA, then the Web browser would assume that.</p></div><p>Too easy to infiltrate and subvert.  Also, how do you know your friend is who they claim they are?  A better solution would be that when you setup your bank's online access you generate a key pair and attach the public key to the 'submit' button (or equivalent).  The browser associates the private key with the URL and whenever you login in the future the bank presents proof that it knows your public key.  Or it could use it to protect the SSL key exchange (to thwart MITM attacks).  None of this is particularly complicated and would really just require extending the JS DOM and making a few protocol tweaks (and their implementations, of course).  If you want to access your bank from a different computer you copy over the private key, similar to SSH.  Note that this wouldn't be in lieu of user+pass or SSL, but in addition.</p></div>
	</htmltext>
<tokenext>Perhaps merging a PGP-like web of trust interlink with SSL security .
So , if a close friend trusts foo.com as a CA , then the Web browser would assume that.Too easy to infiltrate and subvert .
Also , how do you know your friend is who they claim they are ?
A better solution would be that when you setup your bank 's online access you generate a key pair and attach the public key to the 'submit ' button ( or equivalent ) .
The browser associates the private key with the URL and whenever you login in the future the bank presents proof that it knows your public key .
Or it could use it to protect the SSL key exchange ( to thwart MITM attacks ) .
None of this is particularly complicated and would really just require extending the JS DOM and making a few protocol tweaks ( and their implementations , of course ) .
If you want to access your bank from a different computer you copy over the private key , similar to SSH .
Note that this would n't be in lieu of user + pass or SSL , but in addition .</tokentext>
<sentencetext>Perhaps merging a PGP-like web of trust interlink with SSL security.
So, if a close friend trusts foo.com as a CA, then the Web browser would assume that.Too easy to infiltrate and subvert.
Also, how do you know your friend is who they claim they are?
A better solution would be that when you setup your bank's online access you generate a key pair and attach the public key to the 'submit' button (or equivalent).
The browser associates the private key with the URL and whenever you login in the future the bank presents proof that it knows your public key.
Or it could use it to protect the SSL key exchange (to thwart MITM attacks).
None of this is particularly complicated and would really just require extending the JS DOM and making a few protocol tweaks (and their implementations, of course).
If you want to access your bank from a different computer you copy over the private key, similar to SSH.
Note that this wouldn't be in lieu of user+pass or SSL, but in addition.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003152</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008232</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>jandersen</author>
	<datestamp>1264942080000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>The question is, should it be removed for the safety of others?</p></div><p>This is nothing more than simple bigotry. You want them removed, not because they are more likely to abuse their position, but because they are Chinese or "Communists" or whatever. Why should I trust CNNIC less than, eg Microsoft Internet Authority, Deutsche Telekom or Sociedad Cameral de Certificacion Digital, just to mention three at random?</p><p><div class="quote"><p>The whole point of root certs is trust</p></div><p>No, the point is convenience. It is ultimately your own responsibility who you choose to trust, which is why you can edit the list of authorities your browser trusts.</p></div>
	</htmltext>
<tokenext>The question is , should it be removed for the safety of others ? This is nothing more than simple bigotry .
You want them removed , not because they are more likely to abuse their position , but because they are Chinese or " Communists " or whatever .
Why should I trust CNNIC less than , eg Microsoft Internet Authority , Deutsche Telekom or Sociedad Cameral de Certificacion Digital , just to mention three at random ? The whole point of root certs is trustNo , the point is convenience .
It is ultimately your own responsibility who you choose to trust , which is why you can edit the list of authorities your browser trusts .</tokentext>
<sentencetext>The question is, should it be removed for the safety of others?This is nothing more than simple bigotry.
You want them removed, not because they are more likely to abuse their position, but because they are Chinese or "Communists" or whatever.
Why should I trust CNNIC less than, eg Microsoft Internet Authority, Deutsche Telekom or Sociedad Cameral de Certificacion Digital, just to mention three at random?The whole point of root certs is trustNo, the point is convenience.
It is ultimately your own responsibility who you choose to trust, which is why you can edit the list of authorities your browser trusts.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002652</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31010286</id>
	<title>Re:easy solution</title>
	<author>bartwol</author>
	<datestamp>1264955700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The man-in-the-middle-attack would likely be targeted to particular clients of interest, e.g. requests originating from the IP address of a political dissident. For example, a PRC DNS server would watch for a request to resolve 'google.com' coming from a dissident's IP address, and only then would it return the IP address of a rogue web server on which an improperly issued [CNNIC] certificate has been installed. Your scanning strategy presumes that your scanner would be subjected to the problematic behavior; that presumption is optimistic.</htmltext>
<tokenext>The man-in-the-middle-attack would likely be targeted to particular clients of interest , e.g .
requests originating from the IP address of a political dissident .
For example , a PRC DNS server would watch for a request to resolve 'google.com ' coming from a dissident 's IP address , and only then would it return the IP address of a rogue web server on which an improperly issued [ CNNIC ] certificate has been installed .
Your scanning strategy presumes that your scanner would be subjected to the problematic behavior ; that presumption is optimistic .</tokentext>
<sentencetext>The man-in-the-middle-attack would likely be targeted to particular clients of interest, e.g.
requests originating from the IP address of a political dissident.
For example, a PRC DNS server would watch for a request to resolve 'google.com' coming from a dissident's IP address, and only then would it return the IP address of a rogue web server on which an improperly issued [CNNIC] certificate has been installed.
Your scanning strategy presumes that your scanner would be subjected to the problematic behavior; that presumption is optimistic.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003782</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003770</id>
	<title>I'm sorry sir, the certificate is in Chinese</title>
	<author>syousef</author>
	<datestamp>1265119380000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext><p><i>Why is CNNIC untrustworthy ? In plain English please.</i></p><p>I'm sorry sir, the certificate is in Chinese.</p></htmltext>
<tokenext>Why is CNNIC untrustworthy ?
In plain English please.I 'm sorry sir , the certificate is in Chinese .</tokentext>
<sentencetext>Why is CNNIC untrustworthy ?
In plain English please.I'm sorry sir, the certificate is in Chinese.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002502</id>
	<title>Disagree with the premise.</title>
	<author>Jane Q. Public</author>
	<datestamp>1265112480000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><i>"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."</i>
<br> <br>
I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.</htmltext>
<tokenext>" Since Mozilla has already accepted CNNIC as a trusted root CA , the burden rests with those who argue for its removal .
" I am not sure I agree with this .
When accepting something that is very controversial , like for example accepting CNNIC as a neutral authority , or backing a perpetual-motion technology , the burden may very well be on the actor to defend its actions .</tokentext>
<sentencetext>"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal.
"
 
I am not sure I agree with this.
When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005232</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>Anonymous</author>
	<datestamp>1265128680000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I take issue, too.</p><p>"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."</p><p>BULLSHIT ASSHOLES! FFFFUUUUU!!!!</p></htmltext>
<tokenext>I take issue , too .
" Since Mozilla has already accepted CNNIC as a trusted root CA , the burden rests with those who argue for its removal .
" BULLSHIT ASSHOLES !
FFFFUUUUU ! ! ! !</tokentext>
<sentencetext>I take issue, too.
"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal.
"BULLSHIT ASSHOLES!
FFFFUUUUU!!!!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003938</id>
	<title>SSL pricing</title>
	<author>mshieh</author>
	<datestamp>1265120760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Does this mean I won't have to pay $600/yr soon if I want a wildcard SSL certificate?  I've never been able to figure out why they cost more from a technical standpoint, except that they may get more requests on average.</p></htmltext>
<tokenext>Does this mean I wo n't have to pay $ 600/yr soon if I want a wildcard SSL certificate ?
I 've never been able to figure out why they cost more from a technical standpoint , except that they may get more requests on average .</tokentext>
<sentencetext>Does this mean I won't have to pay $600/yr soon if I want a wildcard SSL certificate?
I've never been able to figure out why they cost more from a technical standpoint, except that they may get more requests on average.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002874</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>Anonymous</author>
	<datestamp>1265114520000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.<br>Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.</p><p>It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.</p></htmltext>
<tokenext>If only we had the luxury of knowing which certificates to remove if you did n't trust the NSA .
Guess MITM is a game for big players.Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection .
From a security standpoint , the whole web should work the same.It 's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept , knowing you ca n't really trust the 'trusted ' signers in the first place .
For forums and the likes , just permanently storing the certificate so you can be sure you 're getting an encrypted connection to the same entity each time would be sufficient .</tokentext>
<sentencetext>If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA.
Guess MITM is a game for big players.Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection.
From a security standpoint, the whole web should work the same.It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place.
For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002850</id>
	<title>Bug 542689 -  Please remove CNNIC CA root certifi</title>
	<author>Anonymous</author>
	<datestamp>1265114460000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>https://bugzilla.mozilla.org/show\_bug.cgi?id=542689</p></htmltext>
<tokenext>https : //bugzilla.mozilla.org/show \ _bug.cgi ? id = 542689</tokentext>
<sentencetext>https://bugzilla.mozilla.org/show\_bug.cgi?id=542689</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003782</id>
	<title>easy solution</title>
	<author>Anonymous</author>
	<datestamp>1265119500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Write a script that goes to lots of SSL sites and checks the signing certificate. Run one copy from behind the Great Firewall. Run another from the free world. Compare the output to see if CNNIC ever shows up where it shouldn't. Found a hit? Submit it to all the browser publishers and watch the security updates fly, as CNNIC loses all authority over SSL.</p><p>Bonus points if you can get Hillary Clinton to send a strongly-worded letter to China.</p></htmltext>
<tokenext>Write a script that goes to lots of SSL sites and checks the signing certificate .
Run one copy from behind the Great Firewall .
Run another from the free world .
Compare the output to see if CNNIC ever shows up where it should n't .
Found a hit ?
Submit it to all the browser publishers and watch the security updates fly , as CNNIC loses all authority over SSL.Bonus points if you can get Hillary Clinton to send a strongly-worded letter to China .</tokentext>
<sentencetext>Write a script that goes to lots of SSL sites and checks the signing certificate.
Run one copy from behind the Great Firewall.
Run another from the free world.
Compare the output to see if CNNIC ever shows up where it shouldn't.
Found a hit?
Submit it to all the browser publishers and watch the security updates fly, as CNNIC loses all authority over SSL.Bonus points if you can get Hillary Clinton to send a strongly-worded letter to China.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31013060</id>
	<title>Re:How do I mark all CAs in Firefox untrusted?</title>
	<author>u38cg</author>
	<datestamp>1264966740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>If you're that paranoid, delete them outright.</htmltext>
<tokenext>If you 're that paranoid , delete them outright .</tokentext>
<sentencetext>If you're that paranoid, delete them outright.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002600</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003368</id>
	<title>restricting it to *.cn would make sense</title>
	<author>Anonymous</author>
	<datestamp>1265117160000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.</p><p>I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me? If suddenly www.adobe.com is signed by China, there sure is a problem!</p></htmltext>
<tokenext>Seeing as China makes lots of the core internet routers these days ( with quickly growing market share ) there is every reason to assume we 're getting man-in-the-middle pwned.I 'm not in * .cn , and I 'm not visiting * .cn , so why in Hell should this certificate apply to me ?
If suddenly www.adobe.com is signed by China , there sure is a problem !</tokentext>
<sentencetext>Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me?
If suddenly www.adobe.com is signed by China, there sure is a problem!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628</id>
	<title>Does anyone notable *not* support CNNIC?</title>
	<author>RalphBNumbers</author>
	<datestamp>1265113260000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...</p><p>If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.</p></htmltext>
<tokenext>I just checked , and both MacOS X and Windows 7 seem to trust the CNNIC root...If this is really a problem , and I have n't the slightest idea if it is , then it extends way beyond firefox .</tokentext>
<sentencetext>I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003728</id>
	<title>It's time to fight back.</title>
	<author>zill</author>
	<datestamp>1265119140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It's great that everyone is removing the CNNIC root CA, but that's just a defensive measure. And a temporary one at that too.<br> <br>

We need to take more progressive steps to solve the problem.We should be going on the offensive here. <br> <br>

Just link to CNNIC in the summary and they will disappear from the Internet forever; or at least get hit with a million dollar bandwidth bill.</htmltext>
<tokenext>It 's great that everyone is removing the CNNIC root CA , but that 's just a defensive measure .
And a temporary one at that too .
We need to take more progressive steps to solve the problem.We should be going on the offensive here .
Just link to CNNIC in the summary and they will disappear from the Internet forever ; or at least get hit with a million dollar bandwidth bill .</tokentext>
<sentencetext>It's great that everyone is removing the CNNIC root CA, but that's just a defensive measure.
And a temporary one at that too.
We need to take more progressive steps to solve the problem.We should be going on the offensive here.
Just link to CNNIC in the summary and they will disappear from the Internet forever; or at least get hit with a million dollar bandwidth bill.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008088</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>Inda</author>
	<datestamp>1264940220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>kdawson's racism is getting tiresome. I assume it's him who posted this story? I don't even feel the need to go back and check.<br><br>As I said earlier, I wish he'd just come out and call them all slanty eyed nips.<br><br>Why is it that some people always need an enemy?</htmltext>
<tokenext>kdawson 's racism is getting tiresome .
I assume it 's him who posted this story ?
I do n't even feel the need to go back and check.As I said earlier , I wish he 'd just come out and call them all slanty eyed nips.Why is it that some people always need an enemy ?</tokentext>
<sentencetext>kdawson's racism is getting tiresome.
I assume it's him who posted this story?
I don't even feel the need to go back and check.As I said earlier, I wish he'd just come out and call them all slanty eyed nips.Why is it that some people always need an enemy?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003516</id>
	<title>No Criminals Should Be Granting Certificates</title>
	<author>mrcaseyj</author>
	<datestamp>1265117820000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>-1</modscore>
	<htmltext><p>The Chinese government is blatantly and extensively violating the almost universally recognized standards for human rights. Even the Chinese government itself recognizes the rights it violates. The Chinese government are murdering thieving criminals, so it is absurd to grant certificate issuing privileges to them or any other entity in a country without freedom of speech or a reasonable approximation of democracy. Some would try to argue that political philosophy is all relative, and that governments like the US are criminal as well. But while no country is perfect, there is a HUGE difference between flawed democratic countries like the US and countries who blatantly massively violate freedom of speech and who's democracy isn't even roughly legitimate. There is a large gulf between approximately-just and blatantly-criminal governments, which can be identified by a single feature: freedom of speech. If the people can openly debate their government, then the people will bring the government approximately into the control of the people. Sometimes it is said that we should let other countries run their country the way they want to. But if there is no democracy and freedom of speech, then how does anyone know how "they" (the people) want to run their country? If there is no democracy then all we know is how "they" (the criminal government) wants to run their country.</p><p>DON'T GIVE MURDERING THIEVES THE KEYS TO YOUR SECURITY!</p></htmltext>
<tokenext>The Chinese government is blatantly and extensively violating the almost universally recognized standards for human rights .
Even the Chinese government itself recognizes the rights it violates .
The Chinese government are murdering thieving criminals , so it is absurd to grant certificate issuing privileges to them or any other entity in a country without freedom of speech or a reasonable approximation of democracy .
Some would try to argue that political philosophy is all relative , and that governments like the US are criminal as well .
But while no country is perfect , there is a HUGE difference between flawed democratic countries like the US and countries who blatantly massively violate freedom of speech and who 's democracy is n't even roughly legitimate .
There is a large gulf between approximately-just and blatantly-criminal governments , which can be identified by a single feature : freedom of speech .
If the people can openly debate their government , then the people will bring the government approximately into the control of the people .
Sometimes it is said that we should let other countries run their country the way they want to .
But if there is no democracy and freedom of speech , then how does anyone know how " they " ( the people ) want to run their country ?
If there is no democracy then all we know is how " they " ( the criminal government ) wants to run their country.DO N'T GIVE MURDERING THIEVES THE KEYS TO YOUR SECURITY !</tokentext>
<sentencetext>The Chinese government is blatantly and extensively violating the almost universally recognized standards for human rights.
Even the Chinese government itself recognizes the rights it violates.
The Chinese government are murdering thieving criminals, so it is absurd to grant certificate issuing privileges to them or any other entity in a country without freedom of speech or a reasonable approximation of democracy.
Some would try to argue that political philosophy is all relative, and that governments like the US are criminal as well.
But while no country is perfect, there is a HUGE difference between flawed democratic countries like the US and countries who blatantly massively violate freedom of speech and who's democracy isn't even roughly legitimate.
There is a large gulf between approximately-just and blatantly-criminal governments, which can be identified by a single feature: freedom of speech.
If the people can openly debate their government, then the people will bring the government approximately into the control of the people.
Sometimes it is said that we should let other countries run their country the way they want to.
But if there is no democracy and freedom of speech, then how does anyone know how "they" (the people) want to run their country?
If there is no democracy then all we know is how "they" (the criminal government) wants to run their country.DON'T GIVE MURDERING THIEVES THE KEYS TO YOUR SECURITY!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002652</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31016048</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>zuperduperman</author>
	<datestamp>1264937820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I'm 99\% certain the browser will give no warning.  All it cares is that whatever cert is presented by the server is signed by a trusted root.   That root can change around all it wants.   This happens routinely when people replace their root certs on web servers and switch between issuers.  It does not generate any kind of warning.</p></htmltext>
<tokenext>I 'm 99 \ % certain the browser will give no warning .
All it cares is that whatever cert is presented by the server is signed by a trusted root .
That root can change around all it wants .
This happens routinely when people replace their root certs on web servers and switch between issuers .
It does not generate any kind of warning .</tokentext>
<sentencetext>I'm 99\% certain the browser will give no warning.
All it cares is that whatever cert is presented by the server is signed by a trusted root.
That root can change around all it wants.
This happens routinely when people replace their root certs on web servers and switch between issuers.
It does not generate any kind of warning.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005850</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002958</id>
	<title>Re:Given they've bowed to Chinese pressure</title>
	<author>Anonymous</author>
	<datestamp>1265114820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>One way: Go to Firefox's Certificate Manager. (Tools -&gt; Options -&gt; Advanced -&gt; Encryption -&gt; View Certificates), click the "Authorities" tab, scroll down to "CNNIC ROOT", select it, click edit, uncheck the "trust settings".</htmltext>
<tokenext>One way : Go to Firefox 's Certificate Manager .
( Tools - &gt; Options - &gt; Advanced - &gt; Encryption - &gt; View Certificates ) , click the " Authorities " tab , scroll down to " CNNIC ROOT " , select it , click edit , uncheck the " trust settings " .</tokentext>
<sentencetext>One way: Go to Firefox's Certificate Manager.
(Tools -&gt; Options -&gt; Advanced -&gt; Encryption -&gt; View Certificates), click the "Authorities" tab, scroll down to "CNNIC ROOT", select it, click edit, uncheck the "trust settings".</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004160</id>
	<title>Why bother, there's always opera</title>
	<author>baomike</author>
	<datestamp>1265122200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."<br>Yah , sure, whatever<nobr> <wbr></nobr>...</p></htmltext>
<tokenext>" Since Mozilla has already accepted CNNIC as a trusted root CA , the burden rests with those who argue for its removal .
" Yah , sure , whatever .. .</tokentext>
<sentencetext>"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal.
"Yah , sure, whatever ...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31019844</id>
	<title>Re:delete cert? finger in dike</title>
	<author>Anonymous</author>
	<datestamp>1265275080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>There is an excellent overview of MITM attack methods one Eddy Nigg's blog over at Startcom (which issues CA's) here:<br>https://blog.startcom.org/?p=125</p><p>But to get an idea of how precarious the certificate situation is you should read Eddy's report on the total lack of inquiry he experienced when he decided to test the security involved in requesting a certificate.  Bottom line: he obtained a trusted certificate for the domain name mozilla.com (which he has no right to receive at all) in less than five minutes from one of comodo's resellers with no questions asked at all.  How's that for an exploit?  Interesting to read on Eddy's blog:<br>https://blog.startcom.org/?p=145</p></htmltext>
<tokenext>There is an excellent overview of MITM attack methods one Eddy Nigg 's blog over at Startcom ( which issues CA 's ) here : https : //blog.startcom.org/ ? p = 125But to get an idea of how precarious the certificate situation is you should read Eddy 's report on the total lack of inquiry he experienced when he decided to test the security involved in requesting a certificate .
Bottom line : he obtained a trusted certificate for the domain name mozilla.com ( which he has no right to receive at all ) in less than five minutes from one of comodo 's resellers with no questions asked at all .
How 's that for an exploit ?
Interesting to read on Eddy 's blog : https : //blog.startcom.org/ ? p = 145</tokentext>
<sentencetext>There is an excellent overview of MITM attack methods one Eddy Nigg's blog over at Startcom (which issues CA's) here:https://blog.startcom.org/?p=125But to get an idea of how precarious the certificate situation is you should read Eddy's report on the total lack of inquiry he experienced when he decided to test the security involved in requesting a certificate.
Bottom line: he obtained a trusted certificate for the domain name mozilla.com (which he has no right to receive at all) in less than five minutes from one of comodo's resellers with no questions asked at all.
How's that for an exploit?
Interesting to read on Eddy's blog:https://blog.startcom.org/?p=145</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002892</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002524</id>
	<title>delete cert? finger in dike</title>
	<author>Anonymous</author>
	<datestamp>1265112600000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>Did you notice how many CAs are in the list?  How do you feel about each?</p><p>I might recommend encouraging technologies like <a href="http://www.cs.cmu.edu/~perspectives/" title="cmu.edu">Perspectives</a> [cmu.edu] to provide defense in depth.</p></htmltext>
<tokenext>Did you notice how many CAs are in the list ?
How do you feel about each ? I might recommend encouraging technologies like Perspectives [ cmu.edu ] to provide defense in depth .</tokentext>
<sentencetext>Did you notice how many CAs are in the list?
How do you feel about each?I might recommend encouraging technologies like Perspectives [cmu.edu] to provide defense in depth.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003222</id>
	<title>Re:So how is this different than the US based cert</title>
	<author>Anonymous</author>
	<datestamp>1265116320000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I wouldn't say that.  Being able to intercept data like passwords doesn't give blackhats info, it gives them access to things.  Picture a company that has their finances quietly eavesdropped on, then when it comes time for revenge, it would be trivial to log on, pull money out of accounts and have it look like the corporate officers embezzled funds.</p><p>Result:  Shareholders sue, corporate officers get tossed into prison, and nobody is the wiser that it was done offshore.</p></htmltext>
<tokenext>I would n't say that .
Being able to intercept data like passwords does n't give blackhats info , it gives them access to things .
Picture a company that has their finances quietly eavesdropped on , then when it comes time for revenge , it would be trivial to log on , pull money out of accounts and have it look like the corporate officers embezzled funds.Result : Shareholders sue , corporate officers get tossed into prison , and nobody is the wiser that it was done offshore .</tokentext>
<sentencetext>I wouldn't say that.
Being able to intercept data like passwords doesn't give blackhats info, it gives them access to things.
Picture a company that has their finances quietly eavesdropped on, then when it comes time for revenge, it would be trivial to log on, pull money out of accounts and have it look like the corporate officers embezzled funds.Result:  Shareholders sue, corporate officers get tossed into prison, and nobody is the wiser that it was done offshore.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002900</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002470</id>
	<title>Thanks For The Heads Up...</title>
	<author>Anonymous</author>
	<datestamp>1265112180000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Deleting it as we speak....</p></htmltext>
<tokenext>Deleting it as we speak... .</tokentext>
<sentencetext>Deleting it as we speak....</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003674</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>ScrewMaster</author>
	<datestamp>1265118780000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p>&gt;<nobr> <wbr></nobr>... it extends way beyond firefox.</p><p>And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.</p></div><p>Gagh. Such histrionics. Look, this isn't about all Chinese people being evil. It <i>is</i> about a particular country that happens to be the source of an astounding number of remote attacks, cracks, hacks and exploits on the network infrastructure of other nations. The question is whether or not those nations who are subject to China's self-serving Internet activities should aid in those efforts. Rather a foot-in-self-shoot situation really. Me, I've all but switched to Chrome anyway for most things, and this is just another reason to finish the job.
<br> <br>
I know what you're saying when you use the phrase "yellow peril", but there is some truth to it. China is a threat on the world scene, more than at any other point in their history.</p></div>
	</htmltext>
<tokenext>&gt; ... it extends way beyond firefox.And it extends way beyond China .
I see this as simply another example of " yellow peril " thinking .
What about the Brits , who want to monitor everything ?
What about the French , who want to kick people off the net for misbehaving ?
What about Iran , who wants to kick out everyone ?
Do you really think the USA looks like the good guys to the rest of the 'net ?
Who gave the world Microsoft , and the RIAA , and the MPAA ?
All this " evil Chinese " stuff is getting tiresome.Gagh .
Such histrionics .
Look , this is n't about all Chinese people being evil .
It is about a particular country that happens to be the source of an astounding number of remote attacks , cracks , hacks and exploits on the network infrastructure of other nations .
The question is whether or not those nations who are subject to China 's self-serving Internet activities should aid in those efforts .
Rather a foot-in-self-shoot situation really .
Me , I 've all but switched to Chrome anyway for most things , and this is just another reason to finish the job .
I know what you 're saying when you use the phrase " yellow peril " , but there is some truth to it .
China is a threat on the world scene , more than at any other point in their history .</tokentext>
<sentencetext>&gt; ... it extends way beyond firefox.And it extends way beyond China.
I see this as simply another example of "yellow peril" thinking.
What about the Brits, who want to monitor everything?
What about the French, who want to kick people off the net for misbehaving?
What about Iran, who wants to kick out everyone?
Do you really think the USA looks like the good guys to the rest of the 'net?
Who gave the world Microsoft, and the RIAA, and the MPAA?
All this "evil Chinese" stuff is getting tiresome.Gagh.
Such histrionics.
Look, this isn't about all Chinese people being evil.
It is about a particular country that happens to be the source of an astounding number of remote attacks, cracks, hacks and exploits on the network infrastructure of other nations.
The question is whether or not those nations who are subject to China's self-serving Internet activities should aid in those efforts.
Rather a foot-in-self-shoot situation really.
Me, I've all but switched to Chrome anyway for most things, and this is just another reason to finish the job.
I know what you're saying when you use the phrase "yellow peril", but there is some truth to it.
China is a threat on the world scene, more than at any other point in their history.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002892</id>
	<title>Re:delete cert? finger in dike</title>
	<author>zonky</author>
	<datestamp>1265114580000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext>Sound advice. For those new to perspectives, it uses  notary servers, and compares the thumbprint of the SSL cert with what 4-5 other points on the internet see.

This should at least prevent localised MITM, even with a trusted CA issuing the MITM cert.</htmltext>
<tokenext>Sound advice .
For those new to perspectives , it uses notary servers , and compares the thumbprint of the SSL cert with what 4-5 other points on the internet see .
This should at least prevent localised MITM , even with a trusted CA issuing the MITM cert .</tokentext>
<sentencetext>Sound advice.
For those new to perspectives, it uses  notary servers, and compares the thumbprint of the SSL cert with what 4-5 other points on the internet see.
This should at least prevent localised MITM, even with a trusted CA issuing the MITM cert.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002524</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770</id>
	<title>Something more substantial than Wikipedia ?</title>
	<author>Antiocheian</author>
	<datestamp>1265113980000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><p>"surfaced claims of malware production and distribution"</p><p>This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:</p><p>"CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."</p><p>Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.</p><p>Why is CNNIC untrustworthy ? In plain English please.</p></htmltext>
<tokenext>" surfaced claims of malware production and distribution " This claim cites Wikipedia and in particular this unverifiable , POV-ridden paragraph : " CNNIC produces one of the best-known malwares in China : the Chinese-Language-Surfing Official Edition ( ) .
The software is frequently bundled with other adware/sharewares .
It was declared malware by Beijing Network Industry Association ( ) and San Ji Wu Xian Co Ltd. , the company behind 360 Safeguard ( 360 ) , an anti-virus software .
San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC .
" Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.Why is CNNIC untrustworthy ?
In plain English please .</tokentext>
<sentencetext>"surfaced claims of malware production and distribution"This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:"CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition().
The software is frequently bundled with other adware/sharewares.
It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software.
San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC.
"Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.Why is CNNIC untrustworthy ?
In plain English please.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002484</id>
	<title>You're kidding, right?</title>
	<author>taoye</author>
	<datestamp>1265112300000</datestamp>
	<modclass>Funny</modclass>
	<modscore>5</modscore>
	<htmltext>Just wait while I go infiltrate the Chinese government to determine if they are doing bad things through CNNIC, so I can come back with evidence. While I'm at it, I'll be travelling through West Africa and I have the sum of $1,000,000,000 USD of money stashed there and I need your help to get it out of the country. I will give you 10\% guaranteed.....</htmltext>
<tokenext>Just wait while I go infiltrate the Chinese government to determine if they are doing bad things through CNNIC , so I can come back with evidence .
While I 'm at it , I 'll be travelling through West Africa and I have the sum of $ 1,000,000,000 USD of money stashed there and I need your help to get it out of the country .
I will give you 10 \ % guaranteed.... .</tokentext>
<sentencetext>Just wait while I go infiltrate the Chinese government to determine if they are doing bad things through CNNIC, so I can come back with evidence.
While I'm at it, I'll be travelling through West Africa and I have the sum of $1,000,000,000 USD of money stashed there and I need your help to get it out of the country.
I will give you 10\% guaranteed.....</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31007016</id>
	<title>Re:Relative security of self-signed certificates</title>
	<author>the\_womble</author>
	<datestamp>1264971180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Why are self-signed certificates viewed with such relative suspicion?</p></div><p>Because there is no money in them?</p><p>I would prefer either:</p><p>1) relying on certs distributed through another channel, or<br>2) An SSH like system that notified you of changes.</p></div>
	</htmltext>
<tokenext>Why are self-signed certificates viewed with such relative suspicion ? Because there is no money in them ? I would prefer either : 1 ) relying on certs distributed through another channel , or2 ) An SSH like system that notified you of changes .</tokentext>
<sentencetext>Why are self-signed certificates viewed with such relative suspicion?Because there is no money in them?I would prefer either:1) relying on certs distributed through another channel, or2) An SSH like system that notified you of changes.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31015858</id>
	<title>Re:Given they've bowed to Chinese pressure</title>
	<author>GuanoBoy</author>
	<datestamp>1264936980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Y...if you are on Windows, but if you <em>are</em> on Windows the CNNIC certificate is probably not the most significant of your security worries...<nobr> <wbr></nobr>:)</p></div><p>Agreed.

BTW, the CNNIC cert is not included in the Firefox 3.6 package in PCLinuxOS.  "Government Root Certificate Authority" (Taiwan) is included (despite a more sinister name) and a few other foreign companies are, but none are to be seen from CNNIC.</p></div>
	</htmltext>
<tokenext>Y...if you are on Windows , but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries... : ) Agreed . BTW , the CNNIC cert is not included in the Firefox 3.6 package in PCLinuxOS .
" Government Root Certificate Authority " ( Taiwan ) is included ( despite a more sinister name ) and a few other foreign companies are , but none are to be seen from CNNIC .</tokentext>
<sentencetext>Y...if you are on Windows, but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries... :)Agreed.

BTW, the CNNIC cert is not included in the Firefox 3.6 package in PCLinuxOS.
"Government Root Certificate Authority" (Taiwan) is included (despite a more sinister name) and a few other foreign companies are, but none are to be seen from CNNIC.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002332</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008382</id>
	<title>What is the problem, honestly ?</title>
	<author>mxs</author>
	<datestamp>1264944120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It seems as though the poster wants to imply that there is something inherently wrong with accepting CNNIC as a CA -- but does not state why it is the case apart from rumor and that the Chinese government "may" be controlling this entity.</p><p>It escapes me what the problem is; there are lots and lots of CAs listed as trusted roots -- any number of which could do malicious things without anybody being the wiser (and some of which will gladly hand out certificates to microsoft.com and others, if only either your story is good enough ("internal test server"), or their interface is bad enough). "Trusted CA" is a misnomer in any browser distribution -- I sure as heck do not trust half the companies in that list, and neither should you -- since you never even heard about most of them.</p><p>None of this actually impacts the security of SSL. Let's face it, the PKI for SSL is broken. Anybody can claim to be anybody and somebody will sign off on it. You won't even be notified when that happens to "your" domain. There is no such thing as a central registry -- as with DNS, for instance. There is no such thing as proper delegation -- as with DNS, for instance. If you trust a SSL certificate because it is signed by some "trusted" CA in a browser, you are doing it wrong. Not that it really matters -- people do not check certificate chains or even particularly care about changed certs so long as the "Buy now" button works on Amazon.</p><p>There is no inherent value in a certificate signed by a "trusted" CA over a self-signed certificate. Both result in a stream-cipher-encrypted connection. That is about all SSL is good for, unless you have a local CA and that local CA is the only trusted CA in any of your CA-aware applications -- and, of course, you have cryptography-savvy users. I'll wait a while for the laughter to die down.</p></htmltext>
<tokenext>It seems as though the poster wants to imply that there is something inherently wrong with accepting CNNIC as a CA -- but does not state why it is the case apart from rumor and that the Chinese government " may " be controlling this entity.It escapes me what the problem is ; there are lots and lots of CAs listed as trusted roots -- any number of which could do malicious things without anybody being the wiser ( and some of which will gladly hand out certificates to microsoft.com and others , if only either your story is good enough ( " internal test server " ) , or their interface is bad enough ) .
" Trusted CA " is a misnomer in any browser distribution -- I sure as heck do not trust half the companies in that list , and neither should you -- since you never even heard about most of them.None of this actually impacts the security of SSL .
Let 's face it , the PKI for SSL is broken .
Anybody can claim to be anybody and somebody will sign off on it .
You wo n't even be notified when that happens to " your " domain .
There is no such thing as a central registry -- as with DNS , for instance .
There is no such thing as proper delegation -- as with DNS , for instance .
If you trust a SSL certificate because it is signed by some " trusted " CA in a browser , you are doing it wrong .
Not that it really matters -- people do not check certificate chains or even particularly care about changed certs so long as the " Buy now " button works on Amazon.There is no inherent value in a certificate signed by a " trusted " CA over a self-signed certificate .
Both result in a stream-cipher-encrypted connection .
That is about all SSL is good for , unless you have a local CA and that local CA is the only trusted CA in any of your CA-aware applications -- and , of course , you have cryptography-savvy users .
I 'll wait a while for the laughter to die down .</tokentext>
<sentencetext>It seems as though the poster wants to imply that there is something inherently wrong with accepting CNNIC as a CA -- but does not state why it is the case apart from rumor and that the Chinese government "may" be controlling this entity.It escapes me what the problem is; there are lots and lots of CAs listed as trusted roots -- any number of which could do malicious things without anybody being the wiser (and some of which will gladly hand out certificates to microsoft.com and others, if only either your story is good enough ("internal test server"), or their interface is bad enough).
"Trusted CA" is a misnomer in any browser distribution -- I sure as heck do not trust half the companies in that list, and neither should you -- since you never even heard about most of them.None of this actually impacts the security of SSL.
Let's face it, the PKI for SSL is broken.
Anybody can claim to be anybody and somebody will sign off on it.
You won't even be notified when that happens to "your" domain.
There is no such thing as a central registry -- as with DNS, for instance.
There is no such thing as proper delegation -- as with DNS, for instance.
If you trust a SSL certificate because it is signed by some "trusted" CA in a browser, you are doing it wrong.
Not that it really matters -- people do not check certificate chains or even particularly care about changed certs so long as the "Buy now" button works on Amazon.There is no inherent value in a certificate signed by a "trusted" CA over a self-signed certificate.
Both result in a stream-cipher-encrypted connection.
That is about all SSL is good for, unless you have a local CA and that local CA is the only trusted CA in any of your CA-aware applications -- and, of course, you have cryptography-savvy users.
I'll wait a while for the laughter to die down.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003294</id>
	<title>Re:Something more substantial than Wikipedia ?</title>
	<author>Jeremy Erwin</author>
	<datestamp>1265116680000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p><div class="quote"><p>San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC.</p></div><p>Tell me why I should trust a Chinese court. Because the Chinese Communist Party tells me they're trustworthy? Sorry, I'm not sure I should trust the CCP. Can you provide a trustworthy source that will attest to the CCP's ethics?</p></div>
	</htmltext>
<tokenext>San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC.Tell me why I should trust a Chinese court .
Because the Chinese Communist Party tells me they 're trustworthy ?
Sorry , I 'm not sure I should trust the CCP .
Can you provide a trustworthy source that will attest to the CCP 's ethics ?</tokentext>
<sentencetext>San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC.Tell me why I should trust a Chinese court.
Because the Chinese Communist Party tells me they're trustworthy?
Sorry, I'm not sure I should trust the CCP.
Can you provide a trustworthy source that will attest to the CCP's ethics?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006542</id>
	<title>Chinese don't trust CNNIC</title>
	<author>xizhi.zhu</author>
	<datestamp>1265139240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>the truth is that Chinese don't trust CNNIC, me included. if you search CNNIC on twitter, you'll find many Chinese talking about how to remove it permanently. what I want to add is that the we use SSL/TLS because we trust the CA, but now if the CA is not trusted, what do you think?</htmltext>
<tokenext>the truth is that Chinese do n't trust CNNIC , me included .
if you search CNNIC on twitter , you 'll find many Chinese talking about how to remove it permanently .
what I want to add is that the we use SSL/TLS because we trust the CA , but now if the CA is not trusted , what do you think ?</tokentext>
<sentencetext>the truth is that Chinese don't trust CNNIC, me included.
if you search CNNIC on twitter, you'll find many Chinese talking about how to remove it permanently.
what I want to add is that the we use SSL/TLS because we trust the CA, but now if the CA is not trusted, what do you think?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006370</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>Anonymous</author>
	<datestamp>1265137500000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Uhh, that would be "lanugo" or possibly "vernix" but babies do not typically come out covered with "placenta."</p></htmltext>
<tokenext>Uhh , that would be " lanugo " or possibly " vernix " but babies do not typically come out covered with " placenta .
"</tokentext>
<sentencetext>Uhh, that would be "lanugo" or possibly "vernix" but babies do not typically come out covered with "placenta.
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005114</id>
	<title>Re:So how is this different than the US based cert</title>
	<author>plasticsquirrel</author>
	<datestamp>1265128080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It's different because it's China, and China is the new Evil Empire. As soon as it became clear that we weren't going to be able to destroy every last terrorist, people got bored with blaming everything on them. Now it's the Chinese who are apparently the soulless bad guys who are attacking the very foundations of the Free World. Oh, the humanity.</htmltext>
<tokenext>It 's different because it 's China , and China is the new Evil Empire .
As soon as it became clear that we were n't going to be able to destroy every last terrorist , people got bored with blaming everything on them .
Now it 's the Chinese who are apparently the soulless bad guys who are attacking the very foundations of the Free World .
Oh , the humanity .</tokentext>
<sentencetext>It's different because it's China, and China is the new Evil Empire.
As soon as it became clear that we weren't going to be able to destroy every last terrorist, people got bored with blaming everything on them.
Now it's the Chinese who are apparently the soulless bad guys who are attacking the very foundations of the Free World.
Oh, the humanity.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002900</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31011822</id>
	<title>Automated ways of untrusting CCNIC???</title>
	<author>mattb47</author>
	<datestamp>1264961460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>OK, we should untrust CCNIC...</p><p>Unfortunately, the ways posted so far are all manual.  I'm an IT consultant and manage Windows/Linux networks for multiple companies.  I need to be able to untrust CCNIC (and maybe Entrust.net as well...) for all computers on these networks.</p><p>Ideally, whatever script, group policy, etc. employed should:<br>1. check to see if CCNIC is trusted in Firefox, and if so, untrust it<br>2. check to see if CCNIC is trusted in the OS itself, and if so, untrust it.</p><p>And yes, this is a problem apparently on just about all OSes.  I really just need a way to do this on Windows XP or greater and Ubuntu, although this problem seems to exist everywhere.</p><p>- Matt Borcherding</p></htmltext>
<tokenext>OK , we should untrust CCNIC...Unfortunately , the ways posted so far are all manual .
I 'm an IT consultant and manage Windows/Linux networks for multiple companies .
I need to be able to untrust CCNIC ( and maybe Entrust.net as well... ) for all computers on these networks.Ideally , whatever script , group policy , etc .
employed should : 1. check to see if CCNIC is trusted in Firefox , and if so , untrust it2 .
check to see if CCNIC is trusted in the OS itself , and if so , untrust it.And yes , this is a problem apparently on just about all OSes .
I really just need a way to do this on Windows XP or greater and Ubuntu , although this problem seems to exist everywhere.- Matt Borcherding</tokentext>
<sentencetext>OK, we should untrust CCNIC...Unfortunately, the ways posted so far are all manual.
I'm an IT consultant and manage Windows/Linux networks for multiple companies.
I need to be able to untrust CCNIC (and maybe Entrust.net as well...) for all computers on these networks.Ideally, whatever script, group policy, etc.
employed should:1. check to see if CCNIC is trusted in Firefox, and if so, untrust it2.
check to see if CCNIC is trusted in the OS itself, and if so, untrust it.And yes, this is a problem apparently on just about all OSes.
I really just need a way to do this on Windows XP or greater and Ubuntu, although this problem seems to exist everywhere.- Matt Borcherding</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005692</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>russotto</author>
	<datestamp>1265131680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...</p></div></blockquote><p>

Yep.  In OS X, as an administrator, go to Keychain Access, select "System Roots", and notice CNNIC ROOT in the list.  While you're there, may as well do a GET INFO on it, expand the "Trust" setting, and mark it as untrusted.</p></div>
	</htmltext>
<tokenext>I just checked , and both MacOS X and Windows 7 seem to trust the CNNIC root.. . Yep. In OS X , as an administrator , go to Keychain Access , select " System Roots " , and notice CNNIC ROOT in the list .
While you 're there , may as well do a GET INFO on it , expand the " Trust " setting , and mark it as untrusted .</tokentext>
<sentencetext>I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...

Yep.  In OS X, as an administrator, go to Keychain Access, select "System Roots", and notice CNNIC ROOT in the list.
While you're there, may as well do a GET INFO on it, expand the "Trust" setting, and mark it as untrusted.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003268</id>
	<title>Which CA</title>
	<author>Anonymous</author>
	<datestamp>1265116560000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>"a trusted CA root"</p><p>Which CA are we talking abpout here?</p><p>Canada ?<br>California<br>Computer Associates<br>Cancer</p><p>Or is this a new abbreviation for Chinese Authorities ?</p></htmltext>
<tokenext>" a trusted CA root " Which CA are we talking abpout here ? Canada ? CaliforniaComputer AssociatesCancerOr is this a new abbreviation for Chinese Authorities ?</tokentext>
<sentencetext>"a trusted CA root"Which CA are we talking abpout here?Canada ?CaliforniaComputer AssociatesCancerOr is this a new abbreviation for Chinese Authorities ?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004526</id>
	<title>my copy of Chrome accepts the CNNIC cert</title>
	<author>vrmlguy</author>
	<datestamp>1265124720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I'm running version 4.0.249.78 on WinXP.  Clicking on "[monkeywrench]/Options" brings up a dialog box.  Clicking on the third tab and scrolling to the bottom of the presented list shows a button, "Manage certificates".  Clicking on that button brings up the "Trusted Certificates" dialog box.  Clicking on the "Trusted Root Certification Authorities" tab reveals a long list of certificates.  Scroll down to "CNNIC ROOT" and double-click on its entry to bring up your third dialog box, "Certificate".  Click on the "Details" tab and then the "Edit Properties..." button to open the final dialog, "Certificate Properties".  Click on "Disable all purposes for this certificate" and then "OK", "OK", "Close" and "Close".</p><p>It is unfortunate that this does not preserve the various check-marks on the individual purposes.  I would have liked to have that information retained for future reference.</p></htmltext>
<tokenext>I 'm running version 4.0.249.78 on WinXP .
Clicking on " [ monkeywrench ] /Options " brings up a dialog box .
Clicking on the third tab and scrolling to the bottom of the presented list shows a button , " Manage certificates " .
Clicking on that button brings up the " Trusted Certificates " dialog box .
Clicking on the " Trusted Root Certification Authorities " tab reveals a long list of certificates .
Scroll down to " CNNIC ROOT " and double-click on its entry to bring up your third dialog box , " Certificate " .
Click on the " Details " tab and then the " Edit Properties... " button to open the final dialog , " Certificate Properties " .
Click on " Disable all purposes for this certificate " and then " OK " , " OK " , " Close " and " Close " .It is unfortunate that this does not preserve the various check-marks on the individual purposes .
I would have liked to have that information retained for future reference .</tokentext>
<sentencetext>I'm running version 4.0.249.78 on WinXP.
Clicking on "[monkeywrench]/Options" brings up a dialog box.
Clicking on the third tab and scrolling to the bottom of the presented list shows a button, "Manage certificates".
Clicking on that button brings up the "Trusted Certificates" dialog box.
Clicking on the "Trusted Root Certification Authorities" tab reveals a long list of certificates.
Scroll down to "CNNIC ROOT" and double-click on its entry to bring up your third dialog box, "Certificate".
Click on the "Details" tab and then the "Edit Properties..." button to open the final dialog, "Certificate Properties".
Click on "Disable all purposes for this certificate" and then "OK", "OK", "Close" and "Close".It is unfortunate that this does not preserve the various check-marks on the individual purposes.
I would have liked to have that information retained for future reference.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31014964</id>
	<title>Re:Something more substantial than Wikipedia ?</title>
	<author>Anonymous</author>
	<datestamp>1264933080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>simple -- because many people don't trust them. that is the very definition of untrusted/untrustworthy.</p></htmltext>
<tokenext>simple -- because many people do n't trust them .
that is the very definition of untrusted/untrustworthy .</tokentext>
<sentencetext>simple -- because many people don't trust them.
that is the very definition of untrusted/untrustworthy.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004106</id>
	<title>The role of SSL/TLS</title>
	<author>JSG</author>
	<datestamp>1265121900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I scanned fairly quickly through the comments here but none seems to point out the obvious:</p><p>SSL DOES NOT ATTEMPT TO GUARANTEE ANYTHING APART FROM AUTHENTICTY</p><p>As it appears, this mob have verified their identity sufficiently for Mozilla to decide they are able to put something on the interweb and verify they put it there.</p><p>Should I be worried - no I don't think so.</p><p>I've just (skimmed) read the Mozilla bug entry for this and as far as I can tell all was correct.</p><p>What exactly is the problem here?  SSL is a mechanism (Mozilla very kindly provide that) not a policy (you do that bit)</p></htmltext>
<tokenext>I scanned fairly quickly through the comments here but none seems to point out the obvious : SSL DOES NOT ATTEMPT TO GUARANTEE ANYTHING APART FROM AUTHENTICTYAs it appears , this mob have verified their identity sufficiently for Mozilla to decide they are able to put something on the interweb and verify they put it there.Should I be worried - no I do n't think so.I 've just ( skimmed ) read the Mozilla bug entry for this and as far as I can tell all was correct.What exactly is the problem here ?
SSL is a mechanism ( Mozilla very kindly provide that ) not a policy ( you do that bit )</tokentext>
<sentencetext>I scanned fairly quickly through the comments here but none seems to point out the obvious:SSL DOES NOT ATTEMPT TO GUARANTEE ANYTHING APART FROM AUTHENTICTYAs it appears, this mob have verified their identity sufficiently for Mozilla to decide they are able to put something on the interweb and verify they put it there.Should I be worried - no I don't think so.I've just (skimmed) read the Mozilla bug entry for this and as far as I can tell all was correct.What exactly is the problem here?
SSL is a mechanism (Mozilla very kindly provide that) not a policy (you do that bit)</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003710</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>Anonymous</author>
	<datestamp>1265118960000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I'm tired of hearing et tu quoque (http://en.wikipedia.org/wiki/Tu\_quoque) arguments every time China is mentioned. Brits want to monitor everything, French want to ban users. That's bad and<nobr> <wbr></nobr>/. readers get angry about it too. How does that make Chinese information warfare any better?</p><p>http://en.wikipedia.org/wiki/And\_you\_are\_lynching\_Negroes</p></htmltext>
<tokenext>I 'm tired of hearing et tu quoque ( http : //en.wikipedia.org/wiki/Tu \ _quoque ) arguments every time China is mentioned .
Brits want to monitor everything , French want to ban users .
That 's bad and / .
readers get angry about it too .
How does that make Chinese information warfare any better ? http : //en.wikipedia.org/wiki/And \ _you \ _are \ _lynching \ _Negroes</tokentext>
<sentencetext>I'm tired of hearing et tu quoque (http://en.wikipedia.org/wiki/Tu\_quoque) arguments every time China is mentioned.
Brits want to monitor everything, French want to ban users.
That's bad and /.
readers get angry about it too.
How does that make Chinese information warfare any better?http://en.wikipedia.org/wiki/And\_you\_are\_lynching\_Negroes</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002366</id>
	<title>Re:Given they've bowed to Chinese pressure</title>
	<author>klui</author>
	<datestamp>1265111640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If you delete the CA when it returns (not sure why it does that) its properties, when you click Edit..., will be all unchecked.</p><p>Tools&gt;Options...; Advanced, Encryption tab, [View Certificates]; Authorities tab, click CNNIC ROOT, [Edit...]/[Delete...].</p></htmltext>
<tokenext>If you delete the CA when it returns ( not sure why it does that ) its properties , when you click Edit... , will be all unchecked.Tools &gt; Options... ; Advanced , Encryption tab , [ View Certificates ] ; Authorities tab , click CNNIC ROOT , [ Edit... ] / [ Delete... ] .</tokentext>
<sentencetext>If you delete the CA when it returns (not sure why it does that) its properties, when you click Edit..., will be all unchecked.Tools&gt;Options...; Advanced, Encryption tab, [View Certificates]; Authorities tab, click CNNIC ROOT, [Edit...]/[Delete...].</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005850</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>kestasjk</author>
	<datestamp>1265132940000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>Doesn't Firefox warn you if a key for a certain domain suddenly changes to something different? Remember these guys sign keys, they say "this guy is who he says he is", does that really give them the power to listen in on people?<br>
They can only do so by replacing the key with something new, which probably generates a big security warning, and then they have to reencrypt it with the old key, so they do have to intercept communication and not just listen in.<br> <br>

I don't know if you should be concerned about that yet, unless you're Chinese (in which case what is the alternative? only trust American businesses with American CAs?)</htmltext>
<tokenext>Does n't Firefox warn you if a key for a certain domain suddenly changes to something different ?
Remember these guys sign keys , they say " this guy is who he says he is " , does that really give them the power to listen in on people ?
They can only do so by replacing the key with something new , which probably generates a big security warning , and then they have to reencrypt it with the old key , so they do have to intercept communication and not just listen in .
I do n't know if you should be concerned about that yet , unless you 're Chinese ( in which case what is the alternative ?
only trust American businesses with American CAs ?
)</tokentext>
<sentencetext>Doesn't Firefox warn you if a key for a certain domain suddenly changes to something different?
Remember these guys sign keys, they say "this guy is who he says he is", does that really give them the power to listen in on people?
They can only do so by replacing the key with something new, which probably generates a big security warning, and then they have to reencrypt it with the old key, so they do have to intercept communication and not just listen in.
I don't know if you should be concerned about that yet, unless you're Chinese (in which case what is the alternative?
only trust American businesses with American CAs?
)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002652</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003924</id>
	<title>Re:Centralized key distribution hierarchy failure.</title>
	<author>Anonymous</author>
	<datestamp>1265120640000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p>Firstly, SSH requires out-of-band key exchanges. You know, like over a USB stick or something. There is no secure certificate exchange. So, in other words, no-one could ever get the certificates for 99.9\% of websites.</p><p>Secondly, keys *do* change all the time; as they should. No matter how many bits you use, your certificate shouldn't go more than a few years without being renewed, or you put the key at risk of attack.</p><p>Thirdly, there would be no mechanism for revoking a certificate once compromised.</p><p>In short, no. Put more thought into what the systems you are proposing are actually trying to achieve.</p></htmltext>
<tokenext>Firstly , SSH requires out-of-band key exchanges .
You know , like over a USB stick or something .
There is no secure certificate exchange .
So , in other words , no-one could ever get the certificates for 99.9 \ % of websites.Secondly , keys * do * change all the time ; as they should .
No matter how many bits you use , your certificate should n't go more than a few years without being renewed , or you put the key at risk of attack.Thirdly , there would be no mechanism for revoking a certificate once compromised.In short , no .
Put more thought into what the systems you are proposing are actually trying to achieve .</tokentext>
<sentencetext>Firstly, SSH requires out-of-band key exchanges.
You know, like over a USB stick or something.
There is no secure certificate exchange.
So, in other words, no-one could ever get the certificates for 99.9\% of websites.Secondly, keys *do* change all the time; as they should.
No matter how many bits you use, your certificate shouldn't go more than a few years without being renewed, or you put the key at risk of attack.Thirdly, there would be no mechanism for revoking a certificate once compromised.In short, no.
Put more thought into what the systems you are proposing are actually trying to achieve.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005258</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>mysidia</author>
	<datestamp>1265128860000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>
Because 90\% of internet users don't know what the hell a SSL certificate is and can't intelligently make the decision.
</p><p>
The presence of the cert does more harm than good, if it's being used to distribute malware, then obviously it is not trustworthy, and  Mozilla is harming the community by including it.
</p><p>
If you want to go out on your own and install the cert, fine.
</p><p>
Mozilla should have no part in installing by default a cert that is untrustworthy.
</p><p>
They should remove the default authority and let you install manually if you want it.
</p></htmltext>
<tokenext>Because 90 \ % of internet users do n't know what the hell a SSL certificate is and ca n't intelligently make the decision .
The presence of the cert does more harm than good , if it 's being used to distribute malware , then obviously it is not trustworthy , and Mozilla is harming the community by including it .
If you want to go out on your own and install the cert , fine .
Mozilla should have no part in installing by default a cert that is untrustworthy .
They should remove the default authority and let you install manually if you want it .</tokentext>
<sentencetext>
Because 90\% of internet users don't know what the hell a SSL certificate is and can't intelligently make the decision.
The presence of the cert does more harm than good, if it's being used to distribute malware, then obviously it is not trustworthy, and  Mozilla is harming the community by including it.
If you want to go out on your own and install the cert, fine.
Mozilla should have no part in installing by default a cert that is untrustworthy.
They should remove the default authority and let you install manually if you want it.
</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002332</id>
	<title>Re:Given they've bowed to Chinese pressure</title>
	<author>Anonymous</author>
	<datestamp>1265111460000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext>You could just delete the certificate yourself.  "Edit, Preferences, Advanced, Encryption, View Certificates"[1].  Select the one from CNNIC and hit "Delete".<br> <br>

[1] "Tools, Options, Advanced, Advanced, View Certificates" if you are on Windows, but if you <em>are</em> on Windows the CNNIC certificate is probably not the most significant of your security worries...<nobr> <wbr></nobr>:)</htmltext>
<tokenext>You could just delete the certificate yourself .
" Edit , Preferences , Advanced , Encryption , View Certificates " [ 1 ] .
Select the one from CNNIC and hit " Delete " .
[ 1 ] " Tools , Options , Advanced , Advanced , View Certificates " if you are on Windows , but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries... : )</tokentext>
<sentencetext>You could just delete the certificate yourself.
"Edit, Preferences, Advanced, Encryption, View Certificates"[1].
Select the one from CNNIC and hit "Delete".
[1] "Tools, Options, Advanced, Advanced, View Certificates" if you are on Windows, but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries... :)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002490</id>
	<title>NOW you DICKHEADS are p0wned by them for real</title>
	<author>Anonymous</author>
	<datestamp>1265112360000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>-1</modscore>
	<htmltext><p>Stupid stupid eurotrash idiots!  Don't trust COMMIES, PERIOD!</p></htmltext>
<tokenext>Stupid stupid eurotrash idiots !
Do n't trust COMMIES , PERIOD !</tokentext>
<sentencetext>Stupid stupid eurotrash idiots!
Don't trust COMMIES, PERIOD!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31012622</id>
	<title>Re:Does anyone notable *not* support CNNIC?</title>
	<author>homesteader</author>
	<datestamp>1264964580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>My instance of Safari 4.03 on OS X (10.5.7) does not trust CNNIC.</p></htmltext>
<tokenext>My instance of Safari 4.03 on OS X ( 10.5.7 ) does not trust CNNIC .</tokentext>
<sentencetext>My instance of Safari 4.03 on OS X (10.5.7) does not trust CNNIC.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003120</id>
	<title>Centralized key distribution hierarchy failure...</title>
	<author>argent</author>
	<datestamp>1265115780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I suspect that in practice simply following the SSH model would be pretty much as secure and a lot safer from this kind of attack.</p><p>That's the model where all keys are effectively "self signed", and you don't check whether the key is signed by a trusted authority... instead you check whether the key has changed, and raise an alert if so.</p><p>Using BOTH techniques... alerting people if the key changes whether it's self-signed or centrally signed... seems to be the best solution. That way if CNNIC wants to MITM you they have to be damn sure you haven't already got the real key in hand.</p></htmltext>
<tokenext>I suspect that in practice simply following the SSH model would be pretty much as secure and a lot safer from this kind of attack.That 's the model where all keys are effectively " self signed " , and you do n't check whether the key is signed by a trusted authority... instead you check whether the key has changed , and raise an alert if so.Using BOTH techniques... alerting people if the key changes whether it 's self-signed or centrally signed... seems to be the best solution .
That way if CNNIC wants to MITM you they have to be damn sure you have n't already got the real key in hand .</tokentext>
<sentencetext>I suspect that in practice simply following the SSH model would be pretty much as secure and a lot safer from this kind of attack.That's the model where all keys are effectively "self signed", and you don't check whether the key is signed by a trusted authority... instead you check whether the key has changed, and raise an alert if so.Using BOTH techniques... alerting people if the key changes whether it's self-signed or centrally signed... seems to be the best solution.
That way if CNNIC wants to MITM you they have to be damn sure you haven't already got the real key in hand.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258</id>
	<title>As usual, please refrain from blindly chiming in?</title>
	<author>Anonymous</author>
	<datestamp>1265111040000</datestamp>
	<modclass>Funny</modclass>
	<modscore>5</modscore>
	<htmltext><p>Wow, youre so new here, youre still dripping wet and covered in placenta.</p></htmltext>
<tokenext>Wow , youre so new here , youre still dripping wet and covered in placenta .</tokentext>
<sentencetext>Wow, youre so new here, youre still dripping wet and covered in placenta.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004710</id>
	<title>they can issue a cert for *any* domain</title>
	<author>Anonymous</author>
	<datestamp>1265125800000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Why would we give a dictatorship the ability to make our browser trust any site we connect to on the internet?</p></htmltext>
<tokenext>Why would we give a dictatorship the ability to make our browser trust any site we connect to on the internet ?</tokentext>
<sentencetext>Why would we give a dictatorship the ability to make our browser trust any site we connect to on the internet?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534</id>
	<title>Re: As usual, please refrain from blindly chiming</title>
	<author>Actually, I do RTFA</author>
	<datestamp>1265112660000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."</p><p>Are you saying "should Mozilla remove it?"  Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity.  It probably helps them in some way to include it.</p><p>The question is, should individual users remove it?  And yes, by the link that you provided indicating it's role in the distribution of malware.  Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?  </p></htmltext>
<tokenext>I take issue to the next phrase : " Since Mozilla has already accepted CNNIC as a trusted root CA , the burden rests with those who argue for its removal .
" Are you saying " should Mozilla remove it ?
" Then the answer is probably no , becuase Mozillia is not an omni-beneficent entity .
It probably helps them in some way to include it.The question is , should individual users remove it ?
And yes , by the link that you provided indicating it 's role in the distribution of malware .
Why should I let Mozilla , a large group with contradictory desires and many masters , control whether I delist it as a trusted root ?</tokentext>
<sentencetext>I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal.
"Are you saying "should Mozilla remove it?
"  Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity.
It probably helps them in some way to include it.The question is, should individual users remove it?
And yes, by the link that you provided indicating it's role in the distribution of malware.
Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?  </sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008172
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006734
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004104
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_36</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003674
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006370
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_40</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003516
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002652
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006228
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003710
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_37</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31010286
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003782
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005232
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31012622
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003294
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002384
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003924
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003120
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003058
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004046
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002502
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_45</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31012234
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003152
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003188
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006636
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005114
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002900
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002332
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004382
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_44</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31014964
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008232
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002652
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005138
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31011826
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002502
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002874
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_38</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008088
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003222
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002900
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008372
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31015858
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002332
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_35</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31019844
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002892
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002524
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002958
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005258
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003770
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_43</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31016048
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005850
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002652
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004030
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005692
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31010098
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005850
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002652
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004680
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31013060
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002600
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_42</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003368
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_39</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002366
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_02_202238_41</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31007016
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002628
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003298
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003534
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003674
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008088
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005138
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003710
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006636
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004680
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005692
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31012622
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002550
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006734
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004030
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003152
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31012234
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31007016
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004630
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002600
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31013060
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003782
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31010286
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004160
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002258
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004104
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006370
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002534
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003368
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002874
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003058
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005258
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005232
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008372
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006118
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002652
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003516
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008232
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005850
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31010098
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31016048
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003188
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002260
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002332
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005118
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31015858
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002384
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002958
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004382
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002366
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003268
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002588
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002770
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31014964
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003294
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31006228
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31008172
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003770
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002524
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002892
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31019844
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004106
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004526
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002900
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31005114
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003222
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003120
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31003924
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_02_202238.16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31002502
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31004046
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_02_202238.31011826
</commentlist>
</conversation>
