Apple has kept root certificates from the China Internet Network Information Center (CNNIC) despite both Google and Mozilla revoking trust in the agency altogether.
As part of security upgrades for both of its operating systems and the root certificate for the Chinese CA remains in the trusted stores for iOS and OSX. However last month, both Google and Mozilla removed CNNIC from their browsers’ respective trust stores after an intermediate CA called MCS Holdings installed an unrestricted certificate in a device capable of doing SSL interception, and issuing certificates for several Google domains.
Google’s Adam Langley said in a blog post at the time of the incident: “CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered.
“However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons.”
CNNIC said in a statement that Google’s decision “is unacceptable and unintelligible”, and urged Google to take users’ rights and interests into full consideration. “For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”
Mozilla said that after reviewing the circumstances, it concluded that CNNIC’s behaviour in issuing an “unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an egregious practice”.
Microsoft blocked the MCS Holdings certificate on March 24th in Internet Explorer, but did not remove CNNIC from its Certificate Trust List.