1. Is it considered by CNNIC as "service on technology and research" to spread malware with administrative power to spy on Internet users? 2. Is it considered by CNNIC as "service on technology and research" to ban personal website registration in the .cn domain space ? 3. CNNIC banned the DNS resolving of a lot of independent websites, such as bulllog.cn . Is this considered by CNNIC as your way of "service" of "registry for Chinese Domain Name"? Is this considered by CNNIC as "the similar role as VeriSign"? 4. Is CNNIC "qualified with the international criteria" as a trustworthy certificate authority? 5. Why did Liu Yan try to mask the real face of the PRC governmental nature of CNNIC ? Why did he even tried to hide the application by setting the bug report to "Restricted Visibility" at first? 6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet security". Is it considered by CNNIC as "operation to protect Internet security" by spreading unremovable malware to spy on users' Internet activities exploiting security flaws of the browsers, as CNNIC did ? Liu Yan further claimed that "the WebTrust audit for government is much simpler compared to company". So do you think CNNIC is a government or not? If CNNIC is controlled by the PRC government, why don't you dare to clearly admit it, but misled the readers by posing as a "just offers service on technology and research" ? What's the motivation to hide the real identity of CNNIC? :) Liu Yan(註：為在Mozilla社區發帖的CNNIC僱員） said: "There is no possible for us to monitor the user's actions or do some attacks. I think every technical personnel knows that." Unfortunately, this is an arrant lie. CNNIC not only DID "monitor the users' actions" with intentionally spreaded malware , but also cooperated actively with the PRC government to crack down independent blogs and websites . It's also highly possible that they may actively cooperate in MITM attacks with such a government which attacked  its citizens, as well as dozens of companies and many computers of foreign civil organizations and government offices . Further, Is PRC government a decent government? Should a government put all their citizens in an information jail by building a GFW (Great Firewall)  to block their access to Internet? Should a government enforce news and speech censorship  on all the websites including search engines to block criticism on the crimes they committed? Should a government jail journalists and writers for their free speech ? Should a government kill the college students and citizens with guns, and roll over the bodies of college students with tanks?  Should a government cheat the world by hiding information about SARS and melamine contaminated milk which caused repetitive man-made disasters, and further punish those who told the truth? Is this PRC government a real government, or is it a maffia group? :) Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of Sciences". Let's take a look at what kind of "research" the "Chinese Academy of Sciences" has done before. :) The Institute of Acoustics, Chinese Academy of Sciences closely cooperated with the PRC government in Internet censorship. Same as CNNIC which "takes orders from the Ministry of Information Industry (MII)" , they developed some natural language machine understanding algorithms for Internet text censorship . The target of their research is to distinguish speeches of the opponents of the government from those of the proponents, which general keyword based filtering can't achieve. Their "research" was already deployed in the censorware "Green Dam", which was orderd by the MII to be installed on each new PC in manufacturing process. Although this plan failed, they must have started some other plots to achieve the same goal. Jonathan: might well yank trust for any CA that was complicit in MitM attacks. Does the word "was" mean that until the MitM attack happened, any organizations can put their root CA certificates in Firefox provided that they can buy endorsement "services" from accountant companies like Ernst&Young  to acquire "trust" from webtrust.org? The real concern of many Chinese programmers is not about "was", but "may", as CNNIC already "DID" quite some dirty things before! Now it's a new capability that the inclusion of root certificate of CNNIC will grant to the PRC government. Anyway, since they already got secondary CA certificate issued by Entrust.net, adding CNNIC as root CA is not introducing more problems. But this discussion is an alert on the trust model of PKI when we face a rogue government and their minion organizations. We should improve the browser to ask for permissions from the end users to grant trust to each root CA when it's used in each session (not only at the first time), clearly display the certificate signing path, and warn them of any change in certificates (to be alert of a MitM attack). This seems paranoiac but it's because we're facing real threats of attacks from a powerful rogue government, from which even big companies like Google and well equipped government offices suffered. The security model of SSL was practically in danger because of the design flaws of the browser to place blind trust on root CAs without consent from the users. Since the CA certificates of rogue government agencies were added, we should consider Firefox as a rogue government controlled browser in the default configuration.