четверг, 7 января 2016 г., 4:08:10 UTC+5 пользователь Paul Wouters написал: > As was in the news before, Kazakhstan has issued a national MITM > Certificate Agency. > > Is there a policy on what to do with these? While they are not trusted, > would it be useful to explicitely blacklist these, as to make it > impossible to trust even if the user "wanted to" ? > > The CA's are available here: > http://root.gov.kz/root_cer/rsa.php > http://root.gov.kz/root_cer/gost.php > > One site that uses these CA's is: > https://pki.gov.kz/index.php/en/forum/ > > Paul
I believe there's no need to be aggressive or political in this matter. This is a very technical question. Imposed self-issued certificates are a threat to user's privacy. But there's other side of the question. Looking from the outside, the whole country becomes somewhat toxic to entire Internet infrastructure. If there's definite possibility that all traffic from this country might be forged, re-encrypted or otherwise modified, it poses a threat to a whole bunch of Internet services (actually, all of them), such as social media, business resources and so on, because they have no knowing who they are dealing with - real user or his forged identity. To mention only one example, it makes KYC procedures highly problematic - there might be no sane way to perform them in this case. Critical business services, such as cloud providers (Amazon, Google, Microsoft and so on), are also in danger as there's no more certainty who's using their services. Not to mention infinite possibilities for bots and troll factories in this case (social media are in the same danger). So I believe that Mozilla has to considerate both sides of the question: 1) User's privacy and 2) Global security of Internet (imagine totally plausible option of certificate's private keys leaked to some anonymous hackers). And blacklist this and all other possible initiatives of Kazakhstan government. P.S. Just to clarify on the level of usual governmental security procedures in this country (as I am a citizen of a mentioned state). Until recent time when you had your governmental digital signature issued (which is used to sign documents on governmental sites such as egov.kz), passphrase was limited to 8 symbols. You were not allowed to have more than 8 symbols in your passphrase! Recently their lifted this prohibition, though. So I wouldn't trust them such complex things as cryptography and security. Ivan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
