Gerv,
I saw the previous thread on name constrain on possibly all gov CAs.But I have
to point out that state hackers routinely uses legit software vendors to sign
malware. Stating that I'm not an CA expert, CT sounds much more effective and
less subjective than constrain government CAs
HTTPSeverywhere has a certificate observatory which can be adapted to this
purpose. I would think the number of problematic sites (e.g switching between
CNNIC and Verisign) is quite small. Those incidents can be examined manually,
for example, emailing the domain owner to check legitimacy.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
