Gervase Markham wrote: > There are currently two CAs who have applied for inclusion in the NSS > store but their audits were done by their respective governments and are > classified, and/or they are directly controlled by those governments. > > They are: > > KISA (South Korea, .kr) > https://bugzilla.mozilla.org/show_bug.cgi?id=335197 > DCSSI (France, .fr) > https://bugzilla.mozilla.org/show_bug.cgi?id=368970 > > I am told that later this year, it will be technically possible in NSS > to add additional restrictions to roots in the store. This comes with > the SQLite port of the back-end database that Bob Relyea is doing. > > My proposal is that we accept such CAs, but use this technical > capability to restrict them to signing certificates for domains under > the appropriate TLD. The logic is that citizens of those countries have > to trust their government anyway, but that citizens of other countries > should not be forced to. > > Note that both CAs have been accepted, unrestricted, into the Microsoft > Root Program, on the basis of "trust us, we did the audit" letters > written by the respective governments. > > A useful thought experiment might be to ask what would happen if a CA > from North Korea were to apply for inclusion under the same types of > condition. > > Comments? > > Gerv
I believe that trust should require public disclosure. We don't block users from installing unapproved root certificates. If someone wants such a certificate, they can download and install it themselves. If they ask why it's not pre-installed, we have a valid answer. If appropriate, we could have another list of certificates added to the "Included" and "Pending" lists: "Not Approved" with only those root certificates that Mozilla was formally requested to install but were denied approval. The reason for disapproval would be indicated. Links to the CA and for downloading certificates could be included, with warnings that the users install such certificates at their own risk. -- David E. Ross <http://www.rossde.com/>. Anyone who thinks government owns a monopoly on inefficient, obstructive bureaucracy has obviously never worked for a large corporation. © 1997 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
