There are some good arguments in both directions on that thread. I do happen to like the world in which, say, Let's Encrypt is capable of issuing for any TLD. If we don't think WoSign is good enough for signing .com, we probably shouldn't be exposing .cn users to those attacks, either.
I find the arguments from "it's wrong to recognize borders on the Internet" a bit naive, or impractical. The borders recognize us, and state-sponsored attacks will continue, and have very far-reaching implications. We need better tools to fight them, including this one.
I like the discussion in that thread about how to make the scheme reasonably flexible, though. Thanks for the link.
Ryan Sleevi makes a good argument here about why that's bad policy for the internet:
https://groups.google.com/d/msg/mozilla.dev.security.policy/...
There are some good arguments in both directions on that thread. I do happen to like the world in which, say, Let's Encrypt is capable of issuing for any TLD. If we don't think WoSign is good enough for signing .com, we probably shouldn't be exposing .cn users to those attacks, either.