On Tue, Dec 10, 2013 at 4:08 PM, Kathleen Wilson <[email protected]> wrote: > Constrain the currently-included IGC/A root certificate to a certain set of > domains. I think the restriction needs to be along the lines of *.gouv.fr.
I think it might help to explain the rationale for the choice of *.gouv.fr: ANSSI is run by the French government and *.gouv.fr are government websites. Thus, restricting ANSSI to issuing certificates under *.gouv.fr limits the negative impact of any mis-issuance to French government websites--i.e. they could only harm themselves if so restricted. Also, enabling *.gouv.fr sites that use ANSSI-issued certificates to continue working would minimize disruption to essential government services, like tax collecting, etc. Removing ANSSI completely may be too disruptive to these essential services. My personal opinion is that it is unlikely that all other browsers would follow us if we completely removed ANSSI, but I think it would be reasonable to expect other browsers to add constraints to *.gouv.fr. In case it isn't obvious, I support this proposal. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
