On 11/04/15 01:05, Brian Smith wrote: > If a US-based CA were in a similar situation, would we consider name > constraining them to *.com, *.org, *.net, *.us?
If it were a US government CA, we could certainly constrain to .gov and .mil. > No, because that's not > much of a constraint. For people within China and others, a name > constraint of "*.cn" isn't much different than that. I think such a > constraint gives most of the people on this list a false sense of > resolution, because we *.cn websites aren't relevant to the our > security, so constraining CNNIC to *.cn is basically equivalent to > keeping them out of the program. But, there are many millions of > people for whom the security of *.cn websites does matter, and name > constraints don't help them. What would, if you postulate a hostile DNS registry and a hostile government? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy