According to this clues, as I said in Zurich CABF meeting, China will also come out a trust list that request browser and OS support. And other countries will come a list, then Browser and OS need to maintain hundreds trust list. Is it a good idea?
Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Ben Wilson Sent: Tuesday, July 7, 2015 12:45 AM To: Gervase Markham; [email protected] Cc: Tom Ritter; Peter Kurrasch; Eric Mill; Richard Barnes Subject: RE: Letter from US House of Representatives Gerv, Thanks. I realize/think that this would require a separate root program. If you think of it as a Venn diagram there would be Set A and Set B. The user would then select A, B, A U B or A ∩ B. From a U.S. Government perspective, I have been told that this is accomplished with a Certificate Validation Service (CVS) that is maintained by the government, but elsewhere in the world, there might be the need for multiple Mozilla-distributed trust lists instead of just one (Sets C, D, E, ...). It's more work, but it avoids having to address your issues, I think. Cheers, Ben -----Original Message----- From: Gervase Markham [mailto:[email protected]] Sent: Monday, July 6, 2015 10:29 AM To: Ben Wilson; [email protected] Cc: Eric Mill; Peter Kurrasch; Tom Ritter; Richard Barnes Subject: Re: Letter from US House of Representatives On 06/07/15 15:34, Ben Wilson wrote: > =P7-TA-2014-0282> &language=EN&reference=P7-TA-2014-0282, I was asked > (by someone in the audience and not by anyone specifically > representing EU > governments) to relay a message that some European supervisory bodies > would like browsers and OS providers to enable and support an > additional trust list or trust store, specific to the EU, for those > Trust Service Provider-CA entities that are accredited to issue digital > certificates in the EU. Hi Ben, I realise you are just passing on a message, so this should not be taken as shooting the messenger! I will outline briefly why this request would be, er, problematic: * "specific to the EU" - how do we tell if a particular connection is going to a website in the EU? On-the-fly IP-based geolocation? This isn't really possible. Not all websites in EU country TLDs are EU-based, and many in e.g. .com are EU-based. There is no way to do this; the new CAs would have to be trusted universally for certs with whatever special marking the EU has in mind. * This proposal would involve Mozilla delegating responsibility for who Firefox trusts to whoever makes the list of accredited EU TSPs. As we noted in our letter to the US committee, we value our transparent and open process for deciding who we trust, and our control of that process is very important to us. Gerv
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
