Confirm, administrator
5,526
edits
Changes
→Suggestions about what to do about Government CAs
== Suggestions about what to do about Government CAs ==
Suggestions to consider...
* Require CAs to use separate root certificates for the CA hierarchies that are for issuing certs to governments.
*** What is out-of-scope; e.g. what are unreasonable assumptions for people to make about CAs in Mozilla's program.
*** Cannot protect anyone from governments using their power on their citizens, whether it is a government-owned CA or not.
* annotate certain CAs as doing business in a set of language-based locales, and offer an interstitial warning the first time a user visits a site certified by an authority outside of their normal linguistic area. If the user decides, yes, I want to accept certificates issued for the Chinese/Dutch/Spanish/whatever market, then that warning is never shown again for that language group.
** The place where this breaks down, of course, is that (nearly) all CAs will want to participate in the .com / "global English" space. You might convince a few CAs that it is in their own best interest to restrict themselves to their actual markets to reduce their value as targets of attack (this would've served DigiNotar well) but I wonder how many businesses would volunteer to be part of such a restriction, or how root store programs would adjudicate imposing and managing such restrictions.
== What Inclusion of a CA in Mozilla's Program Means ==
