On Thu, Mar 7, 2019 at 9:20 AM Matthew Hardeman via dev-security-policy < [email protected]> wrote:
> > What the people of the UAE don't have today is the ability to acquire > globally trusted certificates from a business in their own legal > jurisdiction who would be able to provide them with certificates even in > the face of exterior political force. > > This line of thinking seems to conflate a few different issues. There are roughly 195 nations in existence today. I would guess that less than half have a domestic, publicly-trusted CA. I would agree that we have a big problem if websites in any jurisdiction can't obtain trusted certificates. The Mozilla manifesto [1] states "We are committed to an internet that includes all the peoples of the earth" and "The internet is a global public resource that must remain open and accessible". However, I don't think that minting 100 new CAs is the best, or even a good way to solve the problem. Many CAs offer robust "reseller" programs that would allow a local company to provide certificates to a given region in the local language and currency. I acknowledge that this does not address the "exterior political force" portion of the concern, but it does address the concern of making it easy for website operators in any given country to obtain certificates. The very next request in the Mozilla inclusion queue is for the UAE government. [2] Denying DarkMatter does not mean that there can't or won't be a CA in the UAE. [1] https://www.mozilla.org/en-US/about/manifesto/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1474556 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
