Confirm, administrator
5,526
edits
Changes
Created page with "{{draft}} = Government Certification Authorities = == Distinguishing between a Government CA and other CAs == * How do we define what a Government CA is? * Is it reasonable to..."
{{draft}}
= Government Certification Authorities =
== Distinguishing between a Government CA and other CAs ==
* How do we define what a Government CA is?
* Is it reasonable to treat a Government CA differently from other CAs?
** What if the Government CA provides the documentation and audits showing that it complies with Mozilla's CA Certificate Policy?
* Of the [https://spreadsheets.google.com/pub?key=ttwCVzDVuWzZYaDosdU6e3w&single=true&gid=0&output=html CAs currently in Mozilla's program,] which ones are Government CAs?
** TurkTrust?
** Camerfirma?
** CATCert
** Chunghwa Telecom Corporation?
** China Internet Network Information Center (CNNIC) ?
** e-tugra?
** e-Guven Elektronik Bilgi Guvenligi A.S.?
** Government of Taiwan, Government Root Certification Authority (GRCA)
** HARICA (Hellenic Academic and Research Institutions) ?
** Government of Hong Kong (SAR), Hongkong Post
** Government of Spain (CAV), Izenpe S.A.
** Japan Certification Services, Inc. (JCSI) ?
** Government of Japan, Ministry of Internal Affairs and Communications
** Government of France
** Certicámara S.A.?
** Government of The Netherlands, PKIoverheid
** DanID?
** Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)
* Government CAs who have applied to have a root included, but are [https://wiki.mozilla.org/CA:Schedule#CAs_Responding_to_First_Discussion on hold pending action items]
** KISA
** SSC, Lithuanian National Root
** Swiss BIT?
** ICP-Brasil
** Finnish Population Register
** E-ME?
Government CAs who have been told to have their subCAs apply for inclusion separately:
** India CCA, {{bug|557167#c16}} -- Large existing hierarchy, so proceeding with inclusion of each subCA separately. If all of the subCAs are approved/included, then the CCA root may be considered for inclusion.
** SUSCERTE, {{bug|489240#c28}} -- This CA functions as kind of a super CA and their CA policies don't apply to the sub ordinate CAs (including auditing), those CAs must apply for inclusion themselves.
Government CAs who are currently in discussion:
** US FPKI, {{bug|478418}}
== Concerns about Government CAs ==
Concern has been repeatedly raised about Government CAs having root certificates included in Mozilla products. Concerns and suggestions that have been raised include:
* Distrust of Government
** Government interference with internet activities
** Government participation in spying on people on the internet
* Hostile jurisdiction compelled certificate creation attack
** Some CAs have been asked to update their CP/CPS to address concerns about being compelled by third parties to inappropriately issue an intermediate or end-entity certificate. Current recommendation from the discussions appears to be to provide information about which regulatory and legal framework/jurisdiction the CA is primarily beholden to; and add a statement that the CA will duly verify that an order from a government or other such organization is lawful before executing the order.
** https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.security.policy/qFj6WxW4isI[1-25]
== Suggestions about what to do about Government CAs ==
* Treat Government CAs like other CAs that provide the necessary documentation and audit statements to show compliance with Mozilla's CA Certificate Policy.
** Make a clear statement about what it means to have a root certificate in Mozilla's program.
*** What statements can truly be made about CAs in Mozilla's program.
*** Are we trying to protect users from being spied on by their governments?
*** Is inclusion in Mozilla's CA Certificate program an indicator that the CA is not evil?
*** What is out-of-scope; e.g. what are unreasonable assumptions for people to make about CAs in Mozilla's program.
***
*** Cannot protect anyone from governments using their power on their citizens, whether it is a government-owned CA or not.
* Restrict government roots to their TLDs
** The purpose of this would be to limit the use of government roots to only within the government's jurisdiction. In the USA, however, federal, state, and local governments use the TLD .gov. The federal government does not have jurisdiction over state and local Web sites and vice versa. How would this restriction apply to the Basque certificate authority Izenpe, whose jurisdiction lies entirely within Spain and the TLD .es?
** This has been requested in regards to specific roots, such as CNNIC: Have Firefox provide a warning when the CNNIC ROOT CA is used to authenticate web sites outside the jurisdiction of the Chinese government.
** {{bug|555701}}
= Government Certification Authorities =
== Distinguishing between a Government CA and other CAs ==
* How do we define what a Government CA is?
* Is it reasonable to treat a Government CA differently from other CAs?
** What if the Government CA provides the documentation and audits showing that it complies with Mozilla's CA Certificate Policy?
* Of the [https://spreadsheets.google.com/pub?key=ttwCVzDVuWzZYaDosdU6e3w&single=true&gid=0&output=html CAs currently in Mozilla's program,] which ones are Government CAs?
** TurkTrust?
** Camerfirma?
** CATCert
** Chunghwa Telecom Corporation?
** China Internet Network Information Center (CNNIC) ?
** e-tugra?
** e-Guven Elektronik Bilgi Guvenligi A.S.?
** Government of Taiwan, Government Root Certification Authority (GRCA)
** HARICA (Hellenic Academic and Research Institutions) ?
** Government of Hong Kong (SAR), Hongkong Post
** Government of Spain (CAV), Izenpe S.A.
** Japan Certification Services, Inc. (JCSI) ?
** Government of Japan, Ministry of Internal Affairs and Communications
** Government of France
** Certicámara S.A.?
** Government of The Netherlands, PKIoverheid
** DanID?
** Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)
* Government CAs who have applied to have a root included, but are [https://wiki.mozilla.org/CA:Schedule#CAs_Responding_to_First_Discussion on hold pending action items]
** KISA
** SSC, Lithuanian National Root
** Swiss BIT?
** ICP-Brasil
** Finnish Population Register
** E-ME?
Government CAs who have been told to have their subCAs apply for inclusion separately:
** India CCA, {{bug|557167#c16}} -- Large existing hierarchy, so proceeding with inclusion of each subCA separately. If all of the subCAs are approved/included, then the CCA root may be considered for inclusion.
** SUSCERTE, {{bug|489240#c28}} -- This CA functions as kind of a super CA and their CA policies don't apply to the sub ordinate CAs (including auditing), those CAs must apply for inclusion themselves.
Government CAs who are currently in discussion:
** US FPKI, {{bug|478418}}
== Concerns about Government CAs ==
Concern has been repeatedly raised about Government CAs having root certificates included in Mozilla products. Concerns and suggestions that have been raised include:
* Distrust of Government
** Government interference with internet activities
** Government participation in spying on people on the internet
* Hostile jurisdiction compelled certificate creation attack
** Some CAs have been asked to update their CP/CPS to address concerns about being compelled by third parties to inappropriately issue an intermediate or end-entity certificate. Current recommendation from the discussions appears to be to provide information about which regulatory and legal framework/jurisdiction the CA is primarily beholden to; and add a statement that the CA will duly verify that an order from a government or other such organization is lawful before executing the order.
** https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.security.policy/qFj6WxW4isI[1-25]
== Suggestions about what to do about Government CAs ==
* Treat Government CAs like other CAs that provide the necessary documentation and audit statements to show compliance with Mozilla's CA Certificate Policy.
** Make a clear statement about what it means to have a root certificate in Mozilla's program.
*** What statements can truly be made about CAs in Mozilla's program.
*** Are we trying to protect users from being spied on by their governments?
*** Is inclusion in Mozilla's CA Certificate program an indicator that the CA is not evil?
*** What is out-of-scope; e.g. what are unreasonable assumptions for people to make about CAs in Mozilla's program.
***
*** Cannot protect anyone from governments using their power on their citizens, whether it is a government-owned CA or not.
* Restrict government roots to their TLDs
** The purpose of this would be to limit the use of government roots to only within the government's jurisdiction. In the USA, however, federal, state, and local governments use the TLD .gov. The federal government does not have jurisdiction over state and local Web sites and vice versa. How would this restriction apply to the Basque certificate authority Izenpe, whose jurisdiction lies entirely within Spain and the TLD .es?
** This has been requested in regards to specific roots, such as CNNIC: Have Firefox provide a warning when the CNNIC ROOT CA is used to authenticate web sites outside the jurisdiction of the Chinese government.
** {{bug|555701}}
