Google Groups Home
Help | Sign in
mozilla.dev.security
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
CAs and country restrictions
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   1 message - Collapse all
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
Gervase Markham  
View profile
  More options May 24 2007, 9:39 am
Newsgroups: mozilla.dev.tech.crypto, mozilla.dev.security
Followup-To: mozilla.dev.tech.crypto
From: Gervase Markham <g...@mozilla.org>
Date: Thu, 24 May 2007 14:39:56 +0100
Local: Thurs, May 24 2007 9:39 am
Subject: CAs and country restrictions
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
There are currently two CAs who have applied for inclusion in the NSS
store but their audits were done by their respective governments and are
classified, and/or they are directly controlled by those governments.

They are:

KISA (South Korea, .kr)
https://bugzilla.mozilla.org/show_bug.cgi?id=335197
DCSSI (France, .fr)
https://bugzilla.mozilla.org/show_bug.cgi?id=368970

I am told that later this year, it will be technically possible in NSS
to add additional restrictions to roots in the store. This comes with
the SQLite port of the back-end database that Bob Relyea is doing.

My proposal is that we accept such CAs, but use this technical
capability to restrict them to signing certificates for domains under
the appropriate TLD. The logic is that citizens of those countries have
to trust their government anyway, but that citizens of other countries
should not be forced to.

Note that both CAs have been accepted, unrestricted, into the Microsoft
Root Program, on the basis of "trust us, we did the audit" letters
written by the respective governments.

A useful thought experiment might be to ask what would happen if a CA
from North Korea were to apply for inclusion under the same types of
condition.

Comments?

Gerv


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google