On Thursday, March 7, 2019 at 11:20:54 AM UTC-5, Matthew Hardeman wrote: > On Thu, Mar 7, 2019 at 4:20 AM James Burton via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > > There isn't any monopoly that prevents citizens and organizations in the > > United Arab Emirates to get certificates from CAs and they are not > > expensive. Let's Encrypt provides free domain validated certificates to > > everyone around the world. Next. > > > > This is not entirely accurate and the manner in which it is inaccurate may > be material to this discussion. > > Let's Encrypt does not quite provide certificates to everyone around the > world. They do prevent issuance to and revoke prior certificates for those > on the United States various SDN (specially designated nationals) lists. > For example, units of the Iraqi government or those acting at their behest > may not receive Let's Encrypt certificates. > > Obviously that is not an issue for the UAE or its people. At least not > today. But it always could be that it will be an issue someday. > > What the people of the UAE don't have today is the ability to acquire > globally trusted certificates from a business in their own legal > jurisdiction who would be able to provide them with certificates even in > the face of exterior political force.
I think that the information you provided made it clear that there actually exists a *benefit for the consumers* allowing UAE's national root to be included in the program, because it provides safeguards to their citizens and companies (in the context of UAE's national cyber security strategy) in the event of an international conflict (e.g. a war for whatever reason), where adversary countries could impose sanctions for them, provoking disruption in their services because of their certificates (obtained from foreign CAs) getting revoked. Although it is worth noting that the advantages of managing their own national root for the sake of sovereignty defense would be clearly diminished if the Mozilla root program (or the company behind?) could be obliged by any government at that point to retire UAE's national root from the program too. So the following holds true and (from my point of view) very critical indeed. Quoting Benjamin Gabriel: > ...that sovereign nations have the fundamental right to provide digital > services to their own citizens, utilizing their own national root, without > being held hostage by a provider situated in another nation. You should note > that DarkMatter's request is also for the inclusion of UAE's national root. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
