On 09/03/2018 05:28, [email protected] wrote:
It's bad that 70% of the root certificates in the discussion thread are
certificates of governments that are not needed to anyone except these
governments.
Andrew
And the citizens under those governments.
And anyone elsewhere checking out things in that country for any reason.
(how much depends how much of the stuff in that country uses it, for
example, some years ago, every citizen in Denmark could get a free(ish)
e-mail/client certificate under the TDC root, this was later taken over
by a banking services company that changed it into a two-factor login
with private keys on their server!).
But yes, country-specific CAs should be restricted to trust for entities
in that country only (domains under the country TLDs, subject DN country
code in that country etc.). And this should be technically enforced
even if the country-folk don't add that restriction themselves.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
