Le mardi 10 décembre 2013 08:11:30 UTC+1, Eddy Nigg a écrit : > On 12/10/2013 02:48 AM, From Erwann Abalea: > > As Kathleen mentioned in bug 948175, governments need to vote budgets. > > :-) Issuing certs for google.com and other sites (assuming) without any > validation has nothing to do with BR compliance, budgets etc.
You're right, of course. Mozilla has twice expressed its concerns about MITM certs linked to a public CA, and all public CAs including IGC/A was told to perform some checks on the complete set of certificates chaining to the root, reporting any deviation. But budgets are needed to change all the procedures, perform internal audits, change software, run training programs, etc. I think it's what ANSSI expressed in their response to Mozilla. There's at least 12 first-level sub-CAs each attributed to a different public entity (MINEFI is one of them), and who knows how many sub-CAs each one of them has... I think ANSSI knows the duties associated to running a public CA, I'm pretty sure the different ministries don't. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
