On 2015-05-18 13:06, Matt Palmer wrote:
On Mon, May 18, 2015 at 12:26:26PM +0200, Kurt Roeckx wrote:
On 2015-05-14 17:25, Gervase Markham wrote:
2) "If it is different, does name-constraining government CAs make
things better, or not?"
I think it only makes sense to name constrain a government CA if the name
constrained only covers government websites, and not all websites in the
country. Examples would be covering *.gov and *.go.jp. I think that
restricting them to *.jp, *.in, *.cn and so on doesn't actually add enough
value.
This sounds an awful lot like "we're OK with someone having a
name-constrained intermediate that only covers a namespace they own".
Doesn't seem like we really need a separate rule just because they're a
government, although whether we'd want everyone trying to get their
name-constrained roots into Mozilla (rather than just, say, getting a
name-constrained intermediate) is a matter for some debate.
We're only talking about name constraints at this point and not Extended
Key Usage. It's the combination of the two that would turn it into a
"Technically Constrained CA".
If we were to say that we require government CAs to be technically
constrained there would of course be no need to have them in the root
program. But as you say, whether we then still want them in the root
store or not in an other discussion.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
