No Russian CAs

[ddan....@gmail.com]

Greetings,
I would like to ask why there are no root certificate authorities from organizations in the Russian Federation. Specifically I haven't found any with the country code RU in the NSS CA bundle. Is it due to political pressure? Or does the Russian government have a bad history with forcing CAs to issue certificates? As far as I know Yandex has it's own intermediate CA, signed by Certum. So I can't see the issue? Also can you point me to a few bugs where Russian CAs have attempted inclusion? Bugzilla search isn't very helpful, and I have tried searching in "CA Certificates Code", "CA Certificate Mis-Issuance" and "CA Certificate Root Program"

[Kurt Roeckx]

Probably because no Russian CA has applied to be in the root store.

[Caju Mihai]

vineri, 24 august 2018, 21:28:36 UTC+3, Kurt Roeckx a scris:
> Probably because no Russian CA has applied to be in the root store.

A CA from Kazahstan has applied, although I can't find them in the search results I have found a link to the bug in the wiki.

[westm...@gmail.com]

Hello Caju Mihai,

Because in Russia there are no significant and notable CAs. Usually only foreign CAs are used.

Sincerely,
Andrew (Russia)

[Caju Mihai]

That seems rather odd given that much smaller countries have CAs, such as Romania and Poland. Is there a reason for that?

[westm...@gmail.com]

There is simply no market of CAs in Russia. But if this market be appeared, it is unlikely that he would enjoy the trust of ordinary web users: please read Yarovaya's Law (surveillance and web logging in the WWW of Russia up to 6 monts)

Sincerely,
Andrew (Russia)

[Ryan Hurst]

On Friday, August 24, 2018 at 11:23:37 AM UTC-7, Caju Mihai wrote:
> Greetings,
> I would like to ask why there are no root certificate authorities from organizations in the Russian Federation. Specifically I haven't found any with the country code RU in the NSS CA bundle. Is it due to political pressure? Or does the Russian government have a bad history with forcing CAs to issue certificates? As far as I know Yandex has it's own intermediate CA, signed by Certum. So I can't see the issue? Also can you point me to a few bugs where Russian CAs have attempted inclusion? Bugzilla search isn't very helpful, and I have tried searching in "CA Certificates Code", "CA Certificate Mis-Issuance" and "CA Certificate Root Program"

The Russian market (really the whole FSU) is notably different than other markets, at least in the context of the WebPKI. Most notably the goverment mandate for the use of GOST approved algorithms and implementations conflicts with the WebTrust mandate of RSA, and the global standard ECC curves.

This is meaningful because many CAs make a large portion of their revenue not off SSL certificates but other services (digital signatures, enterprise use cases, etc). Much of these other use cases are covered by the many goverment licensed CAs that (hundreds last I heard) that are used for these cases while using GOST approved algorithms.

Above and beyond that I would say the cost realities of commercial WebPKI offerings make it difficult to justify that particular business in the Russian market.

With that said I think your real question is could a Russian CA become a WebTrust and browser trusted CA? I personally think the answer is yes (though I doubt the business viability) if they could get clarity from the FSB on approval to operate such a CA given the current guidance regarding approved GOST algorithms.