Confirm, administrator
5,526
edits
Changes
→Concerns about Government CAs
** Some CAs have been asked to update their CP/CPS to address concerns about being compelled by third parties to inappropriately issue an intermediate or end-entity certificate. Current recommendation from the discussions appears to be to provide information about which regulatory and legal framework/jurisdiction the CA is primarily beholden to; and add a statement that the CA will duly verify that an order from a government or other such organization is lawful before executing the order.
** https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.security.policy/qFj6WxW4isI[1-25]
** What would browsers do if a CA mis-issued a certifiate, but had a court-order to do so?
*** We would blacklist the false chains. Would potentially blacklist all of the CA's root certs. This would impact the CA's business. Government CAs do not have a commercial interest, so there is less downside for a Government CA being removed than for a commercial CA being removed.
== Suggestions about what to do about Government CAs ==
