On 14/05/15 17:02, David E. Ross wrote: > There is an ongoing dispute between the U.S. and China whether the > government in China is behind attacks on both government and commercial > computer systems in the U.S. This is NOT to question the > trustworthiness of the government of China but to give one example of > the possibility of hostile actions by a government certification > authority (CA).
Is there any evidence that these attacks involve certificates issued by a government CA? > Snowden revealed how the U.S. NSA is intercepting Internet > communications in bulk. This is NOT to question the trustworthiness of > the government of the U.S. but to give another example of the > possibility of hostile actions by a government CA. Is there any evidence that these attacks involve certificates issued by a government CA? > With "cyberwarfare" constantly discussed in the news, U.S. Congress, and > other venues, it appears to me that government CAs should indeed be > restricted to the TLDs of their respective jurisdictions. You will need to expand on that observation if you want to turn it into an argument. > Furthermore, since governments can apply pressure (often secretively) to > commercial enterprises, This assertion is relevant and should be discussed, as it relates to my question 1). Is "the government told its own CA to issue a certificate" exactly the same situation as "this government pressured a commercial CA in its jurisdiction to issue a certificate"? > a similar restriction should be applied to all > commercial and non-government CAs. In this case, they should be > restricted to TLDs of those jurisdictions where they have registered and > whose governments have granted the CAs permission to operate. This suggestion is wildly impractical, and also out of scope for this discussion - note "out of scope" point 1). Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy