On Thu, Mar 7, 2019 at 11:55 AM Wayne Thayer <wtha...@mozilla.com> wrote:
This line of thinking seems to conflate a few different issues. > That is true. I apologize for that, but also feel that some of these different issues and how they'd play out in relation with this current matter and ultimately with the inclusion request need to be discussed. > There are roughly 195 nations in existence today. I would guess that less > than half have a domestic, publicly-trusted CA. I would agree that we have > a big problem if websites in any jurisdiction can't obtain trusted > certificates. The Mozilla manifesto [1] states "We are committed to an > internet that includes all the peoples of the earth" and "The internet is a > global public resource that must remain open and accessible". However, I > don't think that minting 100 new CAs is the best, or even a good way to > solve the problem. > Probably not a good way, but it is likely to be an effective one. > Many CAs offer robust "reseller" programs that would allow a local company > to provide certificates to a given region in the local language and > currency. I acknowledge that this does not address the "exterior political > force" portion of the concern, but it does address the concern of making it > easy for website operators in any given country to obtain certificates. > Some of my concerns relate particularly to this. As an example, once upon a time it was forbidden for US citizens in the general case to engage in transactions with Cuban individuals or entities (whether a part of Cuban government or not). That would effectively disable US based CAs from issuing end-entity certificates to those parties. Today, I don't believe we immediately have that restriction, but it can happen as it has happened before. After the example case I've mentioned elsewhere in this thread, usareally.com, lost its certificate from Let's Encrypt, the CT Logs suggest that they turned to GlobalSign (who I don't believe are US based) and yet still issued and quickly revoked certificates for the site. At this time, the site ultimately secured certificates from WoTrust (I believe a managed subCA effectively operated by Certum). It's conceivable that geopolitical concerns could prevent potential subscribers from getting certificates. > The very next request in the Mozilla inclusion queue is for the UAE > government. [2] Denying DarkMatter does not mean that there can't or won't > be a CA in the UAE. > Indeed, which further opens up a question of what the outcome of the initial question of whether to revoke/OneCRL the DarkMatter intermediates means in terms of a future where the UAE is permitted a national PKI. What if you OneCRL Dark Matter, only to have the UAE National CA decide that commercial and individual interests in the UAE would be served by having at least one commercial CA operating in-country and so create a fully delegated SubCA for DarkMatter? (I have no insider knowledge at all here - no reason to suspect things would or could go that way.) But pre-supposing the possibility that Mozilla would need to respond to that in some way is intriguing. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy