在 2016年1月7日星期四 UTC+8上午7:08:10,Paul Wouters写道: > As was in the news before, Kazakhstan has issued a national MITM > Certificate Agency. > > Is there a policy on what to do with these? While they are not trusted, > would it be useful to explicitely blacklist these, as to make it > impossible to trust even if the user "wanted to" ? > > The CA's are available here: > http://root.gov.kz/root_cer/rsa.php > http://root.gov.kz/root_cer/gost.php > > One site that uses these CA's is: > https://pki.gov.kz/index.php/en/forum/ > > Paul
Adding banner is a acceptable action to hint this kind of attacking. Banning this CA can't solve any problem, because KZ ISP can just block any TLS connections. But maybe we can let websites choose which CA they would use just like HSTS. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy