On Friday, August 24, 2018 at 11:23:37 AM UTC-7, Caju Mihai wrote: > Greetings, > I would like to ask why there are no root certificate authorities from > organizations in the Russian Federation. Specifically I haven't found any > with the country code RU in the NSS CA bundle. Is it due to political > pressure? Or does the Russian government have a bad history with forcing CAs > to issue certificates? As far as I know Yandex has it's own intermediate CA, > signed by Certum. So I can't see the issue? Also can you point me to a few > bugs where Russian CAs have attempted inclusion? Bugzilla search isn't very > helpful, and I have tried searching in "CA Certificates Code", "CA > Certificate Mis-Issuance" and "CA Certificate Root Program"
The Russian market (really the whole FSU) is notably different than other markets, at least in the context of the WebPKI. Most notably the goverment mandate for the use of GOST approved algorithms and implementations conflicts with the WebTrust mandate of RSA, and the global standard ECC curves. This is meaningful because many CAs make a large portion of their revenue not off SSL certificates but other services (digital signatures, enterprise use cases, etc). Much of these other use cases are covered by the many goverment licensed CAs that (hundreds last I heard) that are used for these cases while using GOST approved algorithms. Above and beyond that I would say the cost realities of commercial WebPKI offerings make it difficult to justify that particular business in the Russian market. With that said I think your real question is could a Russian CA become a WebTrust and browser trusted CA? I personally think the answer is yes (though I doubt the business viability) if they could get clarity from the FSB on approval to operate such a CA given the current guidance regarding approved GOST algorithms. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
