On Thursday, March 7, 2019 at 6:35:13 PM UTC-5, Matt Palmer wrote: > On Thu, Mar 07, 2019 at 10:20:34AM -0600, Matthew Hardeman wrote: > > Let's Encrypt does not quite provide certificates to everyone around the > > world. They do prevent issuance to and revoke prior certificates for those > > on the United States various SDN (specially designated nationals) lists. > > For example, units of the Iraqi government or those acting at their behest > > may not receive Let's Encrypt certificates. > > > > Obviously that is not an issue for the UAE or its people. At least not > > today. But it always could be that it will be an issue someday. > > > > What the people of the UAE don't have today is the ability to acquire > > globally trusted certificates from a business in their own legal > > jurisdiction who would be able to provide them with certificates even in > > the face of exterior political force. > > In the face of exterior political force, the people of the UAE couldn't get > *globally trusted* certificates full-stop. Off the top of my head, all of > the widely-adopted web PKI trust stores are managed by US organisations. > One directive from the US government, and a trust anchor is *gone*. Thus, > having a trust anchor is not even a *sufficient* condition to produce the > outcome you're advocating for, let alone a necessary one.
Maybe it is time for root programs to start thinking in moving their operations to more neutral countries, e.g. Switzerland. > > if the UAE government, or its people, wishes to ensure their supply of > "globally trusted" certificates, they need to start running their own PKI > trust store. > > - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy