CAs and country restrictions

[Gervase Markham]

There are currently two CAs who have applied for inclusion in the NSS
store but their audits were done by their respective governments and are
classified, and/or they are directly controlled by those governments.

They are:

KISA (South Korea, .kr)
https://bugzilla.mozilla.org/show_bug.cgi?id=335197
DCSSI (France, .fr)
https://bugzilla.mozilla.org/show_bug.cgi?id=368970

I am told that later this year, it will be technically possible in NSS
to add additional restrictions to roots in the store. This comes with
the SQLite port of the back-end database that Bob Relyea is doing.

My proposal is that we accept such CAs, but use this technical
capability to restrict them to signing certificates for domains under
the appropriate TLD. The logic is that citizens of those countries have
to trust their government anyway, but that citizens of other countries
should not be forced to.

Note that both CAs have been accepted, unrestricted, into the Microsoft
Root Program, on the basis of "trust us, we did the audit" letters
written by the respective governments.

A useful thought experiment might be to ask what would happen if a CA
from North Korea were to apply for inclusion under the same types of
condition.

Comments?

Gerv