I'll share this publicly, so that there's no suggestion that personally or professionally Google Trust Services is treated any differently than any other CA. As a publicly trusted CA, I personally find this a deeply disappointing post towards positive engagement. It's disappointing because it lacks substance and yet makes broad (and negative) claims, and while it highlights the importance of avoiding a "sub-standard solution", it doesn't actually offer any meaningful or concrete technical feedback or even highlight concerns, only an intent to delay discussion.
However, my greatest concern is the misrepresentation about the nature of requirements and recommendations, which are the /only/ binding thing for a publicly trusted CA in Mozilla's program. This, coupled with the suggestion of a "bylaw change" (which is ambiguous as to what is meant here, but might be presumed to mean a change in a CA/B Forum ballot), is concerning, because it seems to suggest a movement from a public discussion to a private discussion, and seems very contrary to the spirit of an open and productive discussion, and seems to match a tactic used by several concerning CAs to delay necessary or positive improvements. Perhaps these aren't intended, and I realize that GTS' involvement in m.d.s.p. to date has largely been limited to Incident Responses, and so as a first response, it may still be a learning experience. I know Ryan Hurst was much more engaged and prolific here, in the past and in an official capacity, and much more engaged on technical substantive and positive contributions, and his contributions were often very valuable. I'm glad to see GTS is, like every other CA in the Mozilla program, following the conversation, and like some of the CAs in the program, moving to a point where they actively participate in the discussions. These are good things, and while some are already required, it's good to see GTS actually step up. But as a first message, it leaves a lot to be desired, both in terms of when and in terms of what. I appreciate the commitment to post and share further details, and look forward to understanding GTS' concerns. I understand that there can be challenges in getting approvals, and I can understand and appreciate CAs' face challenges in public engagement, even though they're publicly trusted. Yet that should still remain a common expectation of all publicly trusted CAs. We know that when CAs present it as overly burdensome to engage publicly, a number of behaviours tend to emerge that are overall harmful to public trust. I hope you can take this feedback as a positive exhortation to encourage the good, while highlighting deep concerns with the substance, approach, and proposals and why it's worked out very poorly over the past decade+. If the concern is around extended revoked, I wholly agree there are concerns there. I'm not sure I'm wholly onboard with Curt's processing model either, and will respond separately to that, but I think it's a huge and positive contribution that Curt's made, because it helps provide something concrete to talk about. However, when there are concerns, it's better for the discussion to plainly state that, rather than the spectre of vague concerns. If it's something else, it helps to know what it is, and I'm not sure a conversation hamstrung by 2-3+ day turnarounds, as currently seems to be the suggestion, really helps show a CA being agile enough to lead with good practices. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
