Confirm, administrator
5,526
edits
Changes
→Suggestions about what to do about Government CAs
== Suggestions about what to do about Government CAs ==
Suggestions to consider...
* annotate certain CAs as doing business in a set of language-based locales, and offer an interstitial warning the first time a user visits a site certified by an authority outside of their normal linguistic area. If the user decides, yes, I want to accept certificates issued for the Chinese/Dutch/Spanish/whatever market, then that warning is never shown again for that language group.
** The place where this breaks down, of course, is that (nearly) all CAs will want to participate in the .com / "global English" space. You might convince a few CAs that it is in their own best interest to restrict themselves to their actual markets to reduce their value as targets of attack (this would've served DigiNotar well) but I wonder how many businesses would volunteer to be part of such a restriction, or how root store programs would adjudicate imposing and managing such restrictions.
* Require CAs to use separate root certificates for the CA hierarchies that are for issuing certs to governments.
* Restrict government roots to their TLDs
** This has been requested in regards to specific roots, such as CNNIC: Have Firefox provide a warning when the CNNIC ROOT CA is used to authenticate web sites outside the jurisdiction of the Chinese government.
** {{bug|555701}}
* Treat Government CAs like other CAs that provide the necessary documentation and audit statements to show compliance with Mozilla's CA Certificate Policy.
