On 14/04/15 01:19, Matt Palmer wrote: > I'm not a fan of browser-imposed name constraints on CAs, at a philosophical > level. An important principle of the Mozilla root program, IMO, is that it > works for the public good (insofar as "the public" is represented by "users > of Mozilla products"). A name constraint on a CA says "we're going to > protect *most* of the Internet from a CA's bad behaviour, but the people who > visit sites under these prefixes... they're on their own".
It depends on why you impose the constraint. You could, for example, think that it's a point of principle that CAs directly controlled by governments can only issue for their own part of the DNS, and not that of other countries. This says nothing about whether or not you think the government CA in question is more or less likely to misissue. (Of course, "directly controlled"... yes, yes, I know :-|.) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
