On Mon, Mar 12, 2018 at 10:53 PM, taher.mestiri--- via dev-security-policy <
> I asked about fast tracks because it's taking long time to get things
> processed related to the fact that all this is running by a community and I
> think it can be great to brainstorm ways to handle maybe work overloads
> even through paid assessments for example.
I think very few members of this community would see the time it takes to
get a publicly trusted CA included as a problem. Indeed, it's actually
rather quite the opposite - the time to get a CA included is likely not
long enough, the time to get a CA removed is likely not fast enough, and
the time for certificates to expire is not short enough.
> I hope that you guys can give us a list of major corrections or
> verifications to do within a certain limited time to give us the
> opportunity to get our CA approved without restarting the whole process.
> I hope this is not considered as special treatment as maybe I don't know
> what kind of support you provide in such cases.
I shared a number of recommendations, based on the specific incidents
highlighted, and the risks they posed. Restarting the whole process is
something that has been requested of other CAs with similar deficiencies,
because in a large part, this whole ecosystem is based on trust. For a CA
to request inclusion, but not demonstrate sufficient technical
understanding on how to manage that trust, is reasonable grounds to not
trust them. Trust is not automatically granted and then slowly removed -
rather, it's slowly earned, based on the quality of character and continued
display of trustworthiness. In the case of this inclusion request, both the
practices and the policies demonstrated significant gaps from what would be
An alternative answer might be to deny inclusion for 2 or more years, since
that is often how long it can take to build an organization with both the
technical expertise and the implementation to support it, as even the
'best' CAs can attest. However, I tried to offer a more targeted set of
suggestions, based on the specific deficiencies that caused trust to be
undermined here. While these are only my suggestions, it highlights the
problematic patterns on display.
In the end, I'm not sure why the Tunisian Government feels it should run a
publicly trusted CA, so I don't know if there are other alternatives to
suggest that might offer a more expedient, more secure, more reliable basis
for trust. If that was to be shared, perhaps there are other solutions that
may work. In the absence of that, the failures at the basic and core
competencies of being a publicly trusted CA should be concerning.
dev-security-policy mailing list