Confirm, administrator
5,526
edits
Changes
→Suggestions about what to do about Government CAs
== Suggestions about what to do about Government CAs ==
Suggestions to consider...
* Improve the policy text regarding independent audits. Some of the government CAs are audited by other government agencies, so essentially by themselves. If they cannot have a 3rd-party review their CA operations, then they are not a public CA, and should not be included. Audit must be independent.
* Require CAs to use separate root certificates for the CA hierarchies that are for issuing certs to governments. This allows for:
** Different UI treatment for them.
** Additional constraints based on region/language.
** Feedback:
*** UI changes will not help. UI already complicated, most users won't notice additions/changes to the UI. A lot of work involved, but very little benefit would result.
*** Any sort of marking by a CA to indicate if they issue government CAs would be based on information provided by the CAs themselves, so not clear how reliable such information would be.
* Restrict government roots to their TLDs
** This has been requested in regards to specific roots, such as CNNIC: Have Firefox provide a warning when the CNNIC ROOT CA is used to authenticate web sites outside the jurisdiction of the Chinese government.
** {{bug|555701}}
** Feedback:
*** Optional Name Constraints on government CAs have not helped. Even the CAs who agree to use Name Constraints want .org and .edu, so only solves problem for .com. Most government CAs say that they need to issue to .com. For this to be effective we would have to make Name Constraints a requirement and not optional. But then the question is for which CAs, because it is difficult to draw the line to distinguish between which CAs are government CAs.
* Treat Government CAs like other CAs that provide the necessary documentation and audit statements to show compliance with Mozilla's CA Certificate Policy.
