On Thu, Mar 07, 2019 at 10:20:34AM -0600, Matthew Hardeman wrote: > Let's Encrypt does not quite provide certificates to everyone around the > world. They do prevent issuance to and revoke prior certificates for those > on the United States various SDN (specially designated nationals) lists. > For example, units of the Iraqi government or those acting at their behest > may not receive Let's Encrypt certificates. > > Obviously that is not an issue for the UAE or its people. At least not > today. But it always could be that it will be an issue someday. > > What the people of the UAE don't have today is the ability to acquire > globally trusted certificates from a business in their own legal > jurisdiction who would be able to provide them with certificates even in > the face of exterior political force.
In the face of exterior political force, the people of the UAE couldn't get *globally trusted* certificates full-stop. Off the top of my head, all of the widely-adopted web PKI trust stores are managed by US organisations. One directive from the US government, and a trust anchor is *gone*. Thus, having a trust anchor is not even a *sufficient* condition to produce the outcome you're advocating for, let alone a necessary one. if the UAE government, or its people, wishes to ensure their supply of "globally trusted" certificates, they need to start running their own PKI trust store. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy