Frank Hecker wrote: > Benjamin Smedberg wrote: >> At the time, I believe I counter-proposed that the government >> certificate in question should be trusted to validate the identity of >> sites within that country: i.e. a Korean government CA would have a >> "limited" root which could only verify the identity of sites within >> the top-level .ko. > > It's a reasonable proposal, and we did look into doing this. > Unfortunately there are .com domains and perhaps other non-.kr domains > with certs issued by CAs in the KISA-rooted hierarchy. This is not > unique to KISA and Korea either AFAIK. In the current state of affairs I > don't think we have any general way to restrict government CAs or other > country-specific CAs to issuing certs under their particular national > TLDs; we'd need to have additional code in NSS or PSM to enforce custom > restrictions. (Or just not include the roots at all.)
I agree that those are the choices. The additional code would impose "name constraints" on roots and all their subordinate hierarchy. There is no RFE from mozilla to have such capability added to NSS, but I would surely not oppose such an RFE. OTOH, Mozilla would probably have to fund that development, since it is likely (IMO) that only the Mozilla clients would make use of it. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
