Benjamin Smedberg wrote: > At the time, I believe I counter-proposed that the government > certificate in question should be trusted to validate the identity of > sites within that country: i.e. a Korean government CA would have a > "limited" root which could only verify the identity of sites within the > top-level .ko.
It's a reasonable proposal, and we did look into doing this. Unfortunately there are .com domains and perhaps other non-.kr domains with certs issued by CAs in the KISA-rooted hierarchy. This is not unique to KISA and Korea either AFAIK. In the current state of affairs I don't think we have any general way to restrict government CAs or other country-specific CAs to issuing certs under their particular national TLDs; we'd need to have additional code in NSS or PSM to enforce custom restrictions. (Or just not include the roots at all.) Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
