On Mon, May 18, 2015 at 02:48:11PM +0100, Gervase Markham wrote: > On 18/05/15 11:26, Kurt Roeckx wrote: > > I think it only makes sense to name constrain a government CA if the > > name constrained only covers government websites, and not all websites > > in the country. Examples would be covering *.gov and *.go.jp. I think > > that restricting them to *.jp, *.in, *.cn and so on doesn't actually add > > enough value. > > Why not? How is the security analysis different for the two options?
There clearly is no trust in certain government, and maybe governments in general. If the government CA is restricted to only websites of the government itself, there is no need to trust that they aren't going to abuse that CA. On the other hand, if it covers the whole country, they can abuse it for domains in that country, but not for other domains. I'm not sure why you would find it acceptable that they can abuse it in their own country. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
