Frank Hecker wrote: > More importantly, there was strong resistance to the idea of moving away > from a universal root list. Some people pointed out that the localized > language versions didn't exactly map to particular countries, and that > many people in particular countries used the US English version or > another version other than the one assumed to be "correct" for them. > However IIRC the more vehement objection was that we should have a > situation where some sites worked in some versions of Firefox and didn't > work in other versions of Firefox (because the root was missing). > > That's basically where we left the discussion. I didn't see any real > support for the idea of localized root lists, so I dropped the idea. And > that's why I'm still processing requests from government CAs. The > alternative idea would be not including government-operated CAs at all; > however that would cause problems for Firefox users in countries where > such CAs existed and were used to issue certs for government sites used > by citizens or for related purposes.
At the time, I believe I counter-proposed that the government certificate in question should be trusted to validate the identity of sites within that country: i.e. a Korean government CA would have a "limited" root which could only verify the identity of sites within the top-level .ko. This certainly matches my natural trust (as a U.S. citizen) of the Korean government: I trust it to identify its own citizens and companies to me, but I do not trust it to identify anyone to me. --BDS _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
