On Thu, Mar 7, 2019 at 5:14 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > Whilst those are all good points, I don't see how any of them require the > CA > to control an unconstrained intermediate CA certificate (or a root > certificate). All of those things can be done as a reseller or > third-party-managed CA. There's a fundamental difference in gaining membership to a root store like the Mozilla program. As I recall, the program intentionally doesn't maintain contractual relationships with the CAs. It could be argued under US sanctions laws that the act of working with an entity and adding their root to the store could in that moment be a regulated transaction. However, once it's on the trust list, its continuation there is not a new service or product being provided to a sanctioned entity. At that point, it's merely continued publication of a curated list, which in the US qualifies as protected speech. On the other hand, if DarkMatter (or any other foreign entity) signed a managed SubCA deal with a CA such as Digicert (based in the US), at any time down the road, the foreign entity might be for whatever reason subject to US sanctions. If that happened, any active service or product delivery performance by Digicert would have to stop. And so, there is a material difference. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy