Mozilla will lift the restriction if CNNIC goes again through the process required for CAs to have their root certificates included in the Mozilla root program -- a process that involves extensive verifications and can take around a year. If CNNIC's application fails, its existing root certificates will be completely removed.
In order to prevent CNNIC from issuing new certificates with a creation date set in the past -- "back-dated" certificates -- that would bypass Mozilla's restriction, the organization plans to ask CNNIC for a full list of certificates it has issued until now. Such as list could also be obtained from Google, whose announcement Wednesday suggested that the company already has one.
"To assist customers affected by this decision, for a limited time we will allow CNNIC's existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist," Google said in a blog post.
In a practical sense Mozilla's and Google's plans would have the same effect: their respective products will reject new CNNIC-issued certificates until the Chinese authority goes through a recertification process. Both companies will continue to trust exiting CNNIC certificates so that users can access sites using those certificates, but possibly for different periods of time.
In a statement published on its website Thursday, CNNIC described Google's decision as "unacceptable and unintelligible."
CNNIC is an agency that operates under China's Ministry of Information Industry. Aside from issuing digital certificates, its responsibilities include administering the .cn top-level domain and assigning IP (Internet Protocol) addresses in the country.
Sign up for CIO Asia eNewsletters.