On 09/03/2018 05:28,
westm...@gmail.com wrote:
> It's bad that 70% of the root certificates in the discussion thread are certificates of governments that are not needed to anyone except these governments.
>
> Andrew
>
And the citizens under those governments.
And anyone elsewhere checking out things in that country for any reason.
(how much depends how much of the stuff in that country uses it, for
example, some years ago, every citizen in Denmark could get a free(ish)
e-mail/client certificate under the TDC root, this was later taken over
by a banking services company that changed it into a two-factor login
with private keys on their server!).
But yes, country-specific CAs should be restricted to trust for entities
in that country only (domains under the country TLDs, subject DN country
code in that country etc.). And this should be technically enforced
even if the country-folk don't add that restriction themselves.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded