Confirm, administrator
5,526
edits
Changes
m
→Distinguishing between a Government CA and other CAs
* CA does more than x% of its business (count of certs issued) with its own government
* CA is authoritative for a given set of names. For instance, CNNIC is authoritative for ".cn" (all of it); HARICA is authoritative for some names within ".gr"; ANSSI within ".fr".
** In the DNS, the registry for a name is authoritative for names below that name, since they decide who is assigned those names. The registry for a domain can always get certs under that name from a third-party CA. They have the ability to fake whatever information the CA is going to look at for validation, so they can convince the CA that they own the domain. If "org" wants their friend Bob to get a certificate for "*.mozilla.org", they can just set the DNS and WHOIS records to reflect that Bob owns mozilla.org. There's no point to constraining a CAs actions over names they have authority over -- they can *already* decide who gets certs for those names.
* ...?
