There are currently two CAs who have applied for inclusion in the NSS store but their audits were done by their respective governments and are classified, and/or they are directly controlled by those governments.
They are: KISA (South Korea, .kr) https://bugzilla.mozilla.org/show_bug.cgi?id=335197 DCSSI (France, .fr) https://bugzilla.mozilla.org/show_bug.cgi?id=368970 I am told that later this year, it will be technically possible in NSS to add additional restrictions to roots in the store. This comes with the SQLite port of the back-end database that Bob Relyea is doing. My proposal is that we accept such CAs, but use this technical capability to restrict them to signing certificates for domains under the appropriate TLD. The logic is that citizens of those countries have to trust their government anyway, but that citizens of other countries should not be forced to. Note that both CAs have been accepted, unrestricted, into the Microsoft Root Program, on the basis of "trust us, we did the audit" letters written by the respective governments. A useful thought experiment might be to ask what would happen if a CA from North Korea were to apply for inclusion under the same types of condition. Comments? Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
