On 1/6/2014 12:25 PM, Kathleen Wilson wrote [in part]: > > We are working on the ability to constrain root certificates to certain > domains. https://bugzilla.mozilla.org/show_bug.cgi?id=743700 > > I think we should consider constraining CAs who: > 1) Are not able to be audited by outside (3rd-party) organizations (such > as some government CAs) > 2) Are not able to promptly upgrade their PKIs to current > standards/requirements like the BRs (as per previously published > responses to CA communications, some government CAs have this problem).
In the U.S., government agencies can indeed contract for outside audit services. For state and local governments, outside audits are standard. Some federal agencies also have outside audits. I think the policy should be that, if a government-operated certification authority wants its root certificate in the NSS database, it should indeed have an outside audit. Any government that has imposed a prohibition against outside audits of its own agencies can just as easily repeal that prohibition. -- David E. Ross <http://www.rossde.com/> On occasion, I filter and ignore all newsgroup messages posted through GoogleGroups via Google's G2/1.0 user agent because of spam, flames, and trolling from that source. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
