They are:
KISA (South Korea, .kr)
https://bugzilla.mozilla.org/show_bug.cgi?id=335197
DCSSI (France, .fr)
https://bugzilla.mozilla.org/show_bug.cgi?id=368970
I am told that later this year, it will be technically possible in NSS
to add additional restrictions to roots in the store. This comes with
the SQLite port of the back-end database that Bob Relyea is doing.
My proposal is that we accept such CAs, but use this technical
capability to restrict them to signing certificates for domains under
the appropriate TLD. The logic is that citizens of those countries have
to trust their government anyway, but that citizens of other countries
should not be forced to.
Note that both CAs have been accepted, unrestricted, into the Microsoft
Root Program, on the basis of "trust us, we did the audit" letters
written by the respective governments.
A useful thought experiment might be to ask what would happen if a CA
from North Korea were to apply for inclusion under the same types of
condition.
Comments?
Gerv