Confirm, administrator
5,526
edits
Changes
→Suggestions about what to do about Government CAs
* Restrict government roots to their TLDs
** The purpose of this would be to limit the use of government roots to only within the government's jurisdiction. In the USA, however, federal, state, and local governments use the TLD .gov. The federal government does not have jurisdiction over state and local Web sites and vice versa. How would this restriction apply to the Basque certificate authority Izenpe, whose jurisdiction lies entirely within Spain and the TLD .es?
** We have asked this of Government CAs repeatedly in mozilla.dev.security.policy, and usually the CA responds by saying that they need to be able to issue SSL certs for .com and .org.
*** HARICA (I think) was the first CA to voluntarily add Name Constraints to their root and intermediate certs, but they still needed to be able to issue to .org.
** This has been requested in regards to specific roots, such as CNNIC: Have Firefox provide a warning when the CNNIC ROOT CA is used to authenticate web sites outside the jurisdiction of the Chinese government.
** {{bug|555701}}
