Frank Hecker wrote: > It's a reasonable proposal, and we did look into doing this. > Unfortunately there are .com domains and perhaps other non-.kr domains > with certs issued by CAs in the KISA-rooted hierarchy. This is not > unique to KISA and Korea either AFAIK.
I personally think that, if all the other technical capabilities in place, our response to that could reasonably be "Tough. Sorry.". > In the current state of affairs I > don't think we have any general way to restrict government CAs or other > country-specific CAs to issuing certs under their particular national > TLDs; we'd need to have additional code in NSS or PSM to enforce custom > restrictions. (Or just not include the roots at all.) As Nelson says, this is a capability we don't have. I personally think we should. Gerv _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
