On Thursday, January 7, 2016 at 12:08:10 AM UTC+1, Paul Wouters wrote: > As was in the news before, Kazakhstan has issued a national MITM > Certificate Agency. > > Is there a policy on what to do with these? While they are not trusted, > would it be useful to explicitely blacklist these, as to make it > impossible to trust even if the user "wanted to" ? > > The CA's are available here: > http://root.gov.kz/root_cer/rsa.php > http://root.gov.kz/root_cer/gost.php > > One site that uses these CA's is: > https://pki.gov.kz/index.php/en/forum/ > > Paul
Hi there, If I may briefly jump in with a small observation regarding the above certs: in both, the issuer is different from the subject, which is rather unusual. Isn't that a problem? Regards, Sven Faw @hexatomium _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy