On 08/03/15 11:53, Eric Mill wrote: > That comes down to how this program is implemented. The intent seems > pretty clearly to identify the space CAs are already issuing in. > Perhaps newer gTLDs merit some unrestrained time in the wild before > they're constrained in this way
I don't understand this point. The plan restricts CAs to issue to a whitelist of TLDs, it doesn't restrain gTLDs. If all CAs are restricted to a whitelist of TLDs, then the number of CAs who could issue for a new gTLD would be 0. That's clearly bad. So some CAs need to be unconstrained. How do we choose which, and how is that not massively market-distorting? > For CAs whose business model is designed for a specific subset of the > web, a name constraint program could clear a path to entry without > endangering domains who are not designed to be served by that CA. I don't think anyone opposes CAs requesting voluntary name constraints. :-) The proposal here is that we impose them on CAs without their consent. > This is a great point, and suggests that name constraint updates > should either a) have a clear and defined update path, or b) only be > implemented when the chances of updates are low. b) sounds like "predict the future business models of lots of companies". > * Reduce the friction for niche CAs to be included in the first place. > For tightly constrained CAs, it's plausible to imagine that the > operational complexity they need to demonstrate can be reduced. Which TLDs do you think it would be OK to issue for with "reduced operational complexity" on the part of the CA? Which TLDs are in your "less valuable" bucket? > Constraining the current major unrestricted CAs seems thorny. But the > clearest example to me of the benefit of name constraints is the US > government's FPKI application: > > https://bugzilla.mozilla.org/show_bug.cgi?id=478418 > https://bug478418.bugzilla.mozilla.org/attachment.cgi?id=8561777 > > While this is not finalized, and the specific constrained domains in > the application are not accurate (.gov.us is not a public suffix, or > in use at all), name constraints seem to be a highly practical way of > bringing government CAs into the trusted root program. As Ryan asked: why do we want to do that? > While the US government is unique in owning their own TLDs, there are > other government CAs already in the program, and pending application, > that could benefit from constraints. I know an animating motivation > for the constraint program is the compromise of a French government > intermediate certificate.[1] The idea of forcibly constraining government CAs to issue for their own TLDs is, to me, a lot more plausible. For one thing, many government CAs don't have the same audits that non-governmental CAs do. The difficulty here is defining "governmental", particularly in countries where the "N" in "NGO" is silent. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
