Gervase Markham wrote: > Frank Hecker wrote: >> It's a reasonable proposal, and we did look into doing this. >> Unfortunately there are .com domains and perhaps other non-.kr domains >> with certs issued by CAs in the KISA-rooted hierarchy. This is not >> unique to KISA and Korea either AFAIK. > > I personally think that, if all the other technical capabilities in > place, our response to that could reasonably be "Tough. Sorry.".
Note that if we implemented a general enough facility then we wouldn't necessarily have to exclude support of all domains outside the country's TLD. For example, we could have a constraint permitting use of *.kr (or whatever) domains, as well as a selected set of *.com or other domains. This would be unwieldy or downright unpractical in cases where a government wants to establish lots of .com domains, but might work OK for cases where a government has just a few non-country-TLD domains. >> In the current state of affairs I don't think we have any general way >> to restrict government CAs or other country-specific CAs to issuing >> certs under their particular national TLDs; we'd need to have >> additional code in NSS or PSM to enforce custom restrictions. (Or just >> not include the roots at all.) > > As Nelson says, this is a capability we don't have. I personally think > we should. My checkbook is open :-) However note that before doing this I think we should make sure we have a full up-to-spec implementation of existing standards around CA name constraints. Then we can think about extending the constraints to include Mozilla-specific requirements. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
