Paul Hoffman wrote: > > My feeling is that we would be better off not making this leap of > limitation. Either someone is allowed to certify in all domain names, or > in none.
... > > The easiest way to avoid such problems is to not get into the business > of subsetting which domains a CA is allowed to use in the identifiers. Paul's argument seems extremely cogent to me. I would want to see a compelling concrete example of this policy failing us, and a solution that doesn't introduce new risks, before we disregard it. > >> If the Austrian Government CA comes and >> says "We have ten million Austrian citizens using our email certs; >> please add our root to Thunderbird", who would we ask to audit them? > > Yes > >> A >> better solution, surely, is to add it but allow them to sign only .at >> addresses. > > We disagree here. I feel that a better solution is to treat them like > all other CAs from a trust and security perspective. I agree with Paul. I don't think the root domain entitles them to any special treatment. - Rob _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
