On Thu, Jan 7, 2016 at 2:00 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > On 1/6/16 3:07 PM, Paul Wouters wrote: >> >> >> As was in the news before, Kazakhstan has issued a national MITM >> Certificate Agency. >> >> Is there a policy on what to do with these? While they are not trusted, >> would it be useful to explicitely blacklist these, as to make it >> impossible to trust even if the user "wanted to" ? >> >> The CA's are available here: >> http://root.gov.kz/root_cer/rsa.php >> http://root.gov.kz/root_cer/gost.php >> >> One site that uses these CA's is: >> https://pki.gov.kz/index.php/en/forum/ >> >> Paul > > > > Kazakhstan has submitted the request for root inclusion: > https://bugzilla.mozilla.org/show_bug.cgi?id=1232689 > > So, we really do need to have this discussion now. > > I will appreciate thoughtful and constructive input into this discussion.
I suggest waiting until they name their auditors before processing the request. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy