Confirm, administrator
5,526
edits
Changes
→Suggestions about what to do about Government CAs
== Suggestions about what to do about Government CAs ==
Suggestions to consider...
* Require CAs to use separate root certificates for the CA hierarchies that are for issuing certs to governments.
* Restrict government roots to their TLDs
** {{bug|555701}}
* Treat Government CAs like other CAs that provide the necessary documentation and audit statements to show compliance with Mozilla's CA Certificate Policy.
** Make a clear statement about what it means to have a root certificate in Mozilla's program.
*** What statements can truly be made about CAs in Mozilla's program.
*** Are we trying to protect users from being spied on by their governments?
*** Is inclusion in Mozilla's CA Certificate program an indicator that the CA is not evil?
*** What is out-of-scope; e.g. what are unreasonable assumptions for people to make about CAs in Mozilla's program.
*** Cannot protect anyone from governments using their power on their citizens, whether it is a government-owned CA or not.
== What Inclusion of a CA in Mozilla's Program Means ==
