On 2015-05-21 14:56, Peter Kurrasch wrote:
> 2) "If it is different, does name-constraining government CAs make
> things better, or not?"
One situation that is addressed by name constraints is that today it's
generally possible for any CA to issue a cert for any domain. In the
context of a security analysis that's problematic which is why name
constraints has its appeal.
Combine that with the power of governments and add a dash of crime show
drama cliché: motive, means, opportunity. The desire--or, perhaps,
need--to institute controls gives governments the motive. The extent to
which governments own/operate/control the internet infrastructure (or
other access to web sites) and are able to issue certs provides the
means. And if any CA can issue any cert the opportunity is always there.
So if a decision is made to require name constraints by a government CA
that would have the benefit of limiting the opportunities for bad acts.
Absent that, are there other mechanisms worth considering that would
have a beneficial impact on the motive, means, opportunity formula? One
example that comes to mind is separating cert issuance with control of
the infrastructure. Still, the question remains what limits do we want
to place on governments?
As you say, it limits the opportunities. But does it limit it enough?
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
