Dear all, I hope this is the correct place to start this discussion. Today it was reported that (https://bugzilla.mozilla.org/show_bug.cgi?id=1758773) Russia is distributing a Root CA (https://crt.sh/?id=6316640888), which according to one user, an ISP said it was mandatory. The certificate can be downloaded from the third button on https://www.gosuslugi.ru/tls Although at present there's no MitM, it's likely that government websites will start using this and once adoption is high enough Russia will perhaps start MitM.
Considering that the ISP was told it was mandatory, the certificate is worth urgent consideration. An option we can consider is to allow the certificate for only the websites linked on gosuslugi.ru Because of retaliation, Russia might be seen correct to reduce their reliance on Western certs. To minimize the damage on Russian users, by allowing the root certificate for only the listed websites OR for all .ru domains, the risk of MitM will be negated and the given reason of "reducing reliance on Western certs" will be resolved. If the certificate is blocked completely, Russia-based users could be harmed further, as they would have to follow the government against interventions of Mozilla et al, who are vulnerable to name-and-shame in case if certificates currently used by RU companies are revoked. I decided to start this thread to accelerate the examination of this certificate. Many thanks -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/trinity-9d689c1a-13b1-4c2a-8eaa-a59ae6cdeb2e-1646941533378%403c-app-mailcom-bs15.
