David E. Ross wrote: > Your last sentence is exactly my point. It would be very difficult to > create an objective policy that allows some governments to certify CAs > but not allow others. This is true without regard for the issue of > secret certifications.
An objective policy would be "all governments can certify CAs for their own TLD only". That is why I suggested the restriction - so that we could have an neutral policy. If we were to implement that scheme, then the Government of North Korea is welcome to apply to have a root inserted which can only issue certs for .kp. (As it happens, their TLD is not in use. But it would be fine if it were.) > Not only should Mozilla not accept classified audits. We should also > put that into the formal policy. Where classifying an audit makes sense > (e.g., for a military CA), users and system administrators have the > ability to install the affected root certificates without involving > Mozilla; in that case, even the existence of the root certificate might > itself be classified. Given that we don't see the actual audit report for any audits we accept, what are you defining as the difference between a classified and an unclassified audit? (You may wish to say at this point that the confusion is my fault, because I misled you about the nature of the situation. That would be fine :-) Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
