On 2015-07-06 16:34, Ben Wilson wrote:
I was asked (by
someone in the audience and not by anyone specifically representing EU
governments) to relay a message that some European supervisory bodies would
like browsers and OS providers to enable and support an additional trust
list or trust store, specific to the EU, for those Trust Service Provider-CA
entities that are accredited to issue digital certificates in the EU.
So I'm wondering who exactly the customers of those trust list and/or
stores are going to be and how they will use it. I have a feeling this
isn't useful for the general public but rather for specific
applications. In such a case I think it should not be a problem for
them to use only the list of CAs that are they wish to trust.
So I guess it comes down to who maintains and distributes such list,
and how does it get updated. I'm not sure that browsers and OS vendors
are the right place for that.
One way to implement this would be adding more trust settings for each
CA and you could filter out the CAs that don't have the right trust
settings to create the list for the application. Or the application
could indicate that it requires those trust settings.
But then I start to wonder who is going to determine which CAs gets
those trust settings. Is this going to require an extra audit for those
CA and will we then to ask for those audit reports too? Or is the
government just going to publish a list that we can import?
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
