On Mon, Mar 12, 2018 at 10:53 PM, taher.mestiri--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I asked about fast tracks because it's taking long time to get things > processed related to the fact that all this is running by a community and I > think it can be great to brainstorm ways to handle maybe work overloads > even through paid assessments for example. > I think very few members of this community would see the time it takes to get a publicly trusted CA included as a problem. Indeed, it's actually rather quite the opposite - the time to get a CA included is likely not long enough, the time to get a CA removed is likely not fast enough, and the time for certificates to expire is not short enough. > I hope that you guys can give us a list of major corrections or > verifications to do within a certain limited time to give us the > opportunity to get our CA approved without restarting the whole process. > I hope this is not considered as special treatment as maybe I don't know > what kind of support you provide in such cases. > I shared a number of recommendations, based on the specific incidents highlighted, and the risks they posed. Restarting the whole process is something that has been requested of other CAs with similar deficiencies, because in a large part, this whole ecosystem is based on trust. For a CA to request inclusion, but not demonstrate sufficient technical understanding on how to manage that trust, is reasonable grounds to not trust them. Trust is not automatically granted and then slowly removed - rather, it's slowly earned, based on the quality of character and continued display of trustworthiness. In the case of this inclusion request, both the practices and the policies demonstrated significant gaps from what would be expected. An alternative answer might be to deny inclusion for 2 or more years, since that is often how long it can take to build an organization with both the technical expertise and the implementation to support it, as even the 'best' CAs can attest. However, I tried to offer a more targeted set of suggestions, based on the specific deficiencies that caused trust to be undermined here. While these are only my suggestions, it highlights the problematic patterns on display. In the end, I'm not sure why the Tunisian Government feels it should run a publicly trusted CA, so I don't know if there are other alternatives to suggest that might offer a more expedient, more secure, more reliable basis for trust. If that was to be shared, perhaps there are other solutions that may work. In the absence of that, the failures at the basic and core competencies of being a publicly trusted CA should be concerning. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
