I think Chinese CAs are also special cases. If American browser vendors remove a Chinese CA like WoSign, there is the possibility a fork distribution will replace Mozilla in China by inclusion of these certificates. I think it would take the cooperation of the Big 4 browser/OS vendors to remove a CA, and the Chinese market often responds by creating its own internal distribution.
But Firefox probably could name-constrain WoSign to .cn. Firefox could probably also name-constrain all StartCom-issued certificates after some cut-off-date to .cn or just ban new StartCom-issued certificates entirely.
Reprising a previous comment about this suggestion:
This is one of those ideas that sounds like common sense when you hear or think about it the first time, but falls apart on scrutiny. Ryan Sleevi has done a much better job picking it apart than I can here, but among the numerous problems with it:
* The most important TLDs are transnational, and their trust hierarchies back into corporations (corporations, I will cheerfully and without irony point out, who are subject to the whims of the FVEY IC).
* It's jingoistic, suggesting we should base trust decisions not on technology or even, really, on policy, but rather on nationalism.
* It consigns residents of countries with oppressive governments to total control by their governments, while at the same time making usage constraints based on those TLDs (such as local mandates to use services whose names end in .XX for XX in $bad_countries) much more powerful.
* It further promotes the idea that security should somehow be tied to the DNS, despite the fact that the DNS is itself not transparently managed, and is often managed at odds with the interests of Internet users as a whole.
* By factionalizing Internet trust, it harms interoperability and also makes it harder to introduce further constraints into the certificate system by essentially declaring up front that we're conceding Internet trust policy to individual nations.
* It greatly complicates the security stories of companies that have adopted vanity domain names in random countries, which, whatever you think of those companies (koff! Pinboard), is an unforced error.
Of all the things we can spend time on to improve Internet security, this is not one of the better ones.
> The most important TLDs are transnational, and their trust hierarchies back into corporations (corporations, I will cheerfully and without irony point out, who are subject to the whims of the FVEY IC).
Are they? I always thought that .com, .edu, .net et al. are American. I suppose one could argue that .eu is transnational, although the EU are trying very hard to invent their own postmodern nation.
> It's jingoistic, suggesting we should base trust decisions not on technology or even, really, on policy, but rather on nationalism.
It's not really jingoism, although it might be nationalism. And is it even nationalism, when each nation-state makes its corporate decisions in a manner which is acceptable to the members of said state?
> It consigns residents of countries with oppressive governments to total control by their governments
… which they already are under, so it doesn't make anything worse. And they are, of course, free to revolt, as oppressed peoples have done throughout history, sometimes succeeding and sometimes failing.
> By factionalizing Internet trust
You say factionalising, I say federating. It doesn't make any sense to me for a corporation in Canada to certify the identity of a site in Iran for a resident of Guinea-Bissau, which is the current situation. Federation seems to me to be the only solution capable of scaling to a world of billions.
> It greatly complicates the security stories of companies that have adopted vanity domain names in random countries
I think the unforced error was placing their identities in the hands of foreign states.
And, of course, with domain-level validation, their security is already in the hands of those states.
