On Thu, Mar 07, 2019 at 05:30:24PM -0600, Matthew Hardeman wrote: > On Thu, Mar 7, 2019 at 5:14 PM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > Whilst those are all good points, I don't see how any of them require the > > CA > > to control an unconstrained intermediate CA certificate (or a root > > certificate). All of those things can be done as a reseller or > > third-party-managed CA. > > There's a fundamental difference in gaining membership to a root store like > the Mozilla program. > > As I recall, the program intentionally doesn't maintain contractual > relationships with the CAs. > > It could be argued under US sanctions laws that the act of working with an > entity and adding their root to the store could in that moment be a > regulated transaction. However, once it's on the trust list, its > continuation there is not a new service or product being provided to a > sanctioned entity. At that point, it's merely continued publication of a > curated list, which in the US qualifies as protected speech.
That's a *really* long bow to draw. Also, whilst Mozilla might not maintain a contractual relationship with a CA, other root programs *do*, so if the US government wants something distrusted, they're gone. Conversely, though, not all existing root CAs (or even intermediates) are based in the US, so it should be *much* easier to find a CA to resell, than to ensure that a trust anchor remains globally included. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy