At 2:39 PM +0100 5/24/07, Gervase Markham wrote: >There are currently two CAs who have applied for inclusion in the NSS >store but their audits were done by their respective governments and are >classified, and/or they are directly controlled by those governments. > >They are: > >KISA (South Korea, .kr) >https://bugzilla.mozilla.org/show_bug.cgi?id=335197 >DCSSI (France, .fr) >https://bugzilla.mozilla.org/show_bug.cgi?id=368970 > >I am told that later this year, it will be technically possible in NSS >to add additional restrictions to roots in the store. This comes with >the SQLite port of the back-end database that Bob Relyea is doing. > >My proposal is that we accept such CAs, but use this technical >capability to restrict them to signing certificates for domains under >the appropriate TLD. The logic is that citizens of those countries have >to trust their government anyway, but that citizens of other countries >should not be forced to.
That makes the assumption that all domains from those countries are in the countries' TLDs; that is a bad assumption. Further, it makes it seem like these CAs are somehow "official" for the TLDs, which is patently wrong in both the existing cases. If the NSA gives a classified audit to a non-military US government root, are you going to restrict them to ".us"? Note that KISA is the Korean equivalent of the U.S. NIST; it is not some powerful agency that speaks for the whole government. (I don't know about DCSSI.) I propose that we simply do not allow classified audits. Those two CAs can get additional, non-classified audits if they want to be in the root store. >Note that both CAs have been accepted, unrestricted, into the Microsoft >Root Program, on the basis of "trust us, we did the audit" letters >written by the respective governments. And this is relevant how? :-) >A useful thought experiment might be to ask what would happen if a CA >from North Korea were to apply for inclusion under the same types of >condition. If FubarSign came to us with a "classified" audit from a commercial auditor, would we even consider it? Why should countries be different than commercial entities? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
