On Thu, Mar 7, 2019 at 11:45 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Currently the Mozilla root program contains a large number of roots that > are apparently single-nation CA programs serving their local community > almost exclusively, including by providing certificates that they can > use to serve content with the rest of the world. > > For purposes of this, I define a national CA as a CA that has publicly > self-declared that it serves a single geographic community almost > exclusively, with that area generally corresponding to national borders > of a country or territory. > > 5. Should the root program policies provide rules that enforce the > self-declared scope restrictions on a CA[?] This has been discussed and the decision was no. This in turn moots your 6-9. 10. The root trust data provided in the Firefox user interface does not > clearly indicate the national or other affiliation of the trusted > roots, such that concerned users may make informed decisions > accordingly. Ditto for the root program dumps provided to other he st > users of the Mozilla root program data (inside and outside the Mozilla > product family). For example, few users outside Scandinavia would > know that "Sonera" is really a national CA for the countries in which > Telia-Sonera is the incumbent Telco (Finland, Sweden and Ă…land). > Mozilla has specifically chosen to not distinguish between "government CAs", "national CAs", "commercial CAs", "global CAs", etc. The same rules apply to every CA in the program. Therefore, the "national or other affiliation" is not something that is relevant to the end user. These have all been discussed before and do not appear to be relevant to any current conversation. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
