Eddy Nigg (StartCom Ltd.) wrote: > How stupid! If that's limited to "secure government to government or > citizen to government transactions", how is that limited in the software > or certificate(s)? And what would its use be for the regular, typical > average user? I'm not a government nor employed by a government so it > doesn't apply to me.
You're a citizen of a state, so government-run CAs do apply to you, at least for the government of your country. > Nor am I a citizen of Zimbabwe, so it doesn't apply > to me either... I guess I represent in that respect the majority of a > typical user. I'm not sure where the reference to Zimbabwe came from, but never mind... Your question about how this applies to the typical user is something we've discussed before. There's no question that most users of Firefox, etc., will never encounter certs issued by, e.g., the government of Taiwan (to take one example of a government root already in NSS). It's arguably of interest only to people living in Taiwan (who might use SSL sites set up by the Taiwan government). So why did we include this root in all versions of Firefox? I've previously proposed having localized versions of the pre-loaded root list, so that (for example) the Taiwan government root might be loaded only in the traditional Chinese version of Firefox that might be used in Taiwan, but not in other versions (including the US English version). There would be technical problems of doing this (since the root list is embedded in NSS, we'd have to generate localized NSS versions), but those could probably be overcome. More importantly, there was strong resistance to the idea of moving away from a universal root list. Some people pointed out that the localized language versions didn't exactly map to particular countries, and that many people in particular countries used the US English version or another version other than the one assumed to be "correct" for them. However IIRC the more vehement objection was that we should have a situation where some sites worked in some versions of Firefox and didn't work in other versions of Firefox (because the root was missing). That's basically where we left the discussion. I didn't see any real support for the idea of localized root lists, so I dropped the idea. And that's why I'm still processing requests from government CAs. The alternative idea would be not including government-operated CAs at all; however that would cause problems for Firefox users in countries where such CAs existed and were used to issue certs for government sites used by citizens or for related purposes. > Nope, I guess we'll have to find something better then that (if at all). I'm still not clear on your exact objections to the Microsoft policy, or what you would consider a better one. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
