Nelson Bolyard: > Frank Hecker wrote: > >> Benjamin Smedberg wrote: >> >>> At the time, I believe I counter-proposed that the government >>> certificate in question should be trusted to validate the identity of >>> sites within that country: i.e. a Korean government CA would have a >>> "limited" root which could only verify the identity of sites within >>> the top-level .ko. >>> >> It's a reasonable proposal, and we did look into doing this. >> Unfortunately there are .com domains and perhaps other non-.kr domains >> with certs issued by CAs in the KISA-rooted hierarchy. This is not >> unique to KISA and Korea either AFAIK. In the current state of affairs I >> don't think we have any general way to restrict government CAs or other >> country-specific CAs to issuing certs under their particular national >> TLDs; we'd need to have additional code in NSS or PSM to enforce custom >> restrictions. (Or just not include the roots at all.) >> > > I agree that those are the choices. The additional code would impose > "name constraints" on roots and all their subordinate hierarchy. > There is no RFE from mozilla to have such capability added to NSS, but > I would surely not oppose such an RFE. OTOH, Mozilla would probably > have to fund that development, since it is likely (IMO) that only the > Mozilla clients would make use of it.
This would be certainly a better idea to limit gov. CAs to certain domain name extensions. Certainly better than ship their CA roots only with certain localizations. But is this really what we want to do? Would this somehow eliminate or ease some audit requirements or other requirements of the Mozilla CA policy? If yes, than this could be an idea, if not, than I'm not sure why limit...Also if yes, what would that mean exactly and what would the implications for the respective certificates and relying parties be? Obviously, a strictly government run CA which issues client certificates on behalf of their citizens instead or in addition to the real-paper ID cards is most likely the best it can get for personal identity validation. However I haven't seen many CAs (which requested to be included in NSS) doing that. Instead they usually have some law in place which gives them the authority to issue (any) certificates under that law. Therefore it's usually not what I view as the authority and use-case of government CAs, in addition to that we are almost forced to accept their criterion and audit requirements. Interestingly citizens of countries which do have such digital ID cards, like Estonia, are sometimes very skeptical and lots of mistrust exists. For example somebody told me (from Estonia), that they are never sure if the private key indeed was generated in their smart card or if their government has a copy of the key. And so the story goes on. I guess if in the US similar cards would be issued, there would be a similar mistrust by their respective citizens. At large I'm still skeptical if gov. CAs should be treated differently then regular CAs, if and how. I believe not, instead CAs should be usable by all Netizens, but as Frank indicated, there could be other problems with it, like people forced to be using IE or other implications. In that case a limitation would make sense... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
