On Mon, Apr 13, 2015 at 8:19 PM, Matt Palmer <mpal...@hezmatt.org> wrote:
> To my mind, if a CA isn't trustworthy enough to be trusted to issue > certificates for every site on the Internet, they shouldn't be trusted to > issue certificates for *any* site on the Internet. In the case of the > proposed name constraints for CNNIC, it leaves an especially bad taste in > my > mouth, as it could easily be interpreted as "those Chinese people deserve > what they get". > While I liked (and still like) Richard Barnes' original name constraint proposal, part of the thing that made it sensical to me is that it's not about *imposing* restrictions outside of a CA's intended model, but about *describing* them. You can argue that a government CA which might want some extra freedom to publish outside of its government-owned TLDs could be respectfully disagreed with, but for a CA like CNNIC that is ostensibly not a government CA and may want the ability to issue to anyone in the world who wishes to pay them -- you're going to make a value judgment on whether they should be able to do that? I agree with Matt that if you just don't trust them, then don't trust them -- why would the Chinese population deserve an untrustworthy CA? -- Eric > > - Matt > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy