On Mon, May 18, 2015 at 12:26:26PM +0200, Kurt Roeckx wrote: > On 2015-05-14 17:25, Gervase Markham wrote: > >2) "If it is different, does name-constraining government CAs make > >things better, or not?" > > I think it only makes sense to name constrain a government CA if the name > constrained only covers government websites, and not all websites in the > country. Examples would be covering *.gov and *.go.jp. I think that > restricting them to *.jp, *.in, *.cn and so on doesn't actually add enough > value.
This sounds an awful lot like "we're OK with someone having a name-constrained intermediate that only covers a namespace they own". Doesn't seem like we really need a separate rule just because they're a government, although whether we'd want everyone trying to get their name-constrained roots into Mozilla (rather than just, say, getting a name-constrained intermediate) is a matter for some debate. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
