On Saturday, July 4, 2020 at 3:43:22 PM UTC-7, Ryan Sleevi wrote: > > Thank you for explaining that. We need to hear the official position from > > Google. Ryan Hurst are you out there?
Although Ryan Sleevi has already pointed this out, since I was named explicitly, I wanted to respond and re-affirm that I am not responsible for Chrome's (or anyone else's) root program. I represent Google Trust Services (GTS), a Certificate Authority (CA) that is subject to the same requirements as any other WebPKI CA. While I am watching this issue closely, as I do all WebPKI related incidents, since this is not an issue that directly impacts GTS I have chosen to be a quiet observer. With that said, as a long time member of the WebPKI, and in a personal capacity, I would say one of the largest challenges in operating a CA is how to handle incidents when they occur. In every incident, I try to keep in mind is that a CAs ultimate responsibility is to the users that rely on the certificates they issue. This means when balancing the impact of decisions a CA should give weight to protecting those users. This reality unfortunately also means that sometimes it is necessary to take actions that may cause pain for the subscribers they provide services to. Wherever possible a CA should minimize pain on the relying party but more times than not, the decision to use the WebPKI for these non-browser TLS use cases was done to externalize the costs of deploying a dedicated PKI that is fit for purpose and as with most trade-offs there may be later consequences to that decision. As for my take on this topic, I think Peter Bowen has done an excellent job capturing the issue, it's risks, origins, and the choices available. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy