At 2:39 PM +0100 5/24/07, Gervase Markham wrote:
>There are currently two CAs who have applied for inclusion in the NSS
>store but their audits were done by their respective governments and are
>classified, and/or they are directly controlled by those governments.
>
>They are:
>
>KISA (South Korea, .kr)
>https://bugzilla.mozilla.org/show_bug.cgi?id=335197
>DCSSI (France, .fr)
>https://bugzilla.mozilla.org/show_bug.cgi?id=368970
>
>I am told that later this year, it will be technically possible in NSS
>to add additional restrictions to roots in the store. This comes with
>the SQLite port of the back-end database that Bob Relyea is doing.
>
>My proposal is that we accept such CAs, but use this technical
>capability to restrict them to signing certificates for domains under
>the appropriate TLD. The logic is that citizens of those countries have
>to trust their government anyway, but that citizens of other countries
>should not be forced to.

That makes the assumption that all domains from those countries are 
in the countries' TLDs; that is a bad assumption. Further, it makes 
it seem like these CAs are somehow "official" for the TLDs, which is 
patently wrong in both the existing cases.

If the NSA gives a classified audit to a non-military US government 
root, are you going to restrict them to ".us"? Note that KISA is the 
Korean equivalent of the U.S. NIST; it is not some powerful agency 
that speaks for the whole government. (I don't know about DCSSI.)

I propose that we simply do not allow classified audits. Those two 
CAs can get additional, non-classified audits if they want to be in 
the root store.

>Note that both CAs have been accepted, unrestricted, into the Microsoft
>Root Program, on the basis of "trust us, we did the audit" letters
>written by the respective governments.

And this is relevant how? :-)

>A useful thought experiment might be to ask what would happen if a CA
>from North Korea were to apply for inclusion under the same types of
>condition.

If FubarSign came to us with a "classified" audit from a commercial 
auditor, would we even consider it?

Why should countries be different than commercial entities?
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to