Zack Weinberg wrote:
a real possibility in "the attacker is a nation-state" scenarios
*Public* PKI as it is implemented in the browsers does *not* protect against nation-state attack scenario. It just can't. A nation-state attack scenario means, amongst other things, the attacker can get a perfectly valid ID that in fact is false (think Dubai Hamas assassination and the Bristish passports). No commercial CA will be able to do anything against that.
If that's the scenario you want to fight, and I'm not saying they aren't valid reason to aim for it, you need either not use PKI at all, or use your own private one with your own rules. But it's not a useful purpose of a general usage browser to try to do anything about that.
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
