Paul Hoffman wrote: > That makes the assumption that all domains from those countries are in > the countries' TLDs; that is a bad assumption.
You mean that these CAs will not be able to sign certificates for some sites that they might want to (e.g. www.myfrenchsite.com)? Yes, but that's just tough on them. > Further, it makes it seem > like these CAs are somehow "official" for the TLDs, which is patently > wrong in both the existing cases. I don't think that's true. If there was a second CA audited by the French government, we'd restrict it in the same way. I don't see how _restricting_ their activities can make them _more_ official. > If the NSA gives a classified audit to a non-military US government > root, are you going to restrict them to ".us"? The US, for historical reasons, is an unfortunate DNS anomaly. We'd have to cross this particular bridge when we came to it. But yes, maybe. .us, .mil and .gov. I would have no problem whatsoever in having a US government root which could only sign for .mil and .gov. Sounds like a great idea to me, and an improvement to security. > I propose that we simply do not allow classified audits. Those two CAs > can get additional, non-classified audits if they want to be in the root > store. That's certainly the alternative. However, I believe at least the French argued that they couldn't get a commercial audit for some reason or another. But my memory may be misleading me. >> Note that both CAs have been accepted, unrestricted, into the Microsoft >> Root Program, on the basis of "trust us, we did the audit" letters >> written by the respective governments. > > And this is relevant how? :-) It's an interesting piece of information - they were not rejected by other browsers because of this secrecy. >> A useful thought experiment might be to ask what would happen if a CA >> from North Korea were to apply for inclusion under the same types of >> condition. > > If FubarSign came to us with a "classified" audit from a commercial > auditor, would we even consider it? No. > Why should countries be different than commercial entities? Because they have jurisdiction over their citizens, and (in direct or indirect ways) over their TLD. If the Austrian Government CA comes and says "We have ten million Austrian citizens using our email certs; please add our root to Thunderbird", who would we ask to audit them? A better solution, surely, is to add it but allow them to sign only .at addresses. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
