I'll share this publicly, so that there's no suggestion that personally or
professionally Google Trust Services is treated any differently than any
other CA. As a publicly trusted CA, I personally find this a deeply
disappointing post towards positive engagement. It's disappointing because
it lacks substance and yet makes broad (and negative) claims, and while it
highlights the importance of avoiding a "sub-standard solution", it doesn't
actually offer any meaningful or concrete technical feedback or even
highlight concerns, only an intent to delay discussion.

However, my greatest concern is the misrepresentation about the nature of
requirements and recommendations, which are the /only/ binding thing for a
publicly trusted CA in Mozilla's program. This, coupled with the suggestion
of a "bylaw change" (which is ambiguous as to what is meant here, but might
be presumed to mean a change in a CA/B Forum ballot), is concerning,
because it seems to suggest a movement from a public discussion to a
private discussion, and seems very contrary to the spirit of an open and
productive discussion, and seems to match a tactic used by several
concerning CAs to delay necessary or positive improvements.

Perhaps these aren't intended, and I realize that GTS' involvement in
m.d.s.p. to date has largely been limited to Incident Responses, and so as
a first response, it may still be a learning experience. I know Ryan Hurst
was much more engaged and prolific here, in the past and in an official
capacity, and much more engaged on technical substantive and positive
contributions, and his contributions were often very valuable. I'm glad to
see GTS is, like every other CA in the Mozilla program, following the
conversation, and like some of the CAs in the program, moving to a point
where they actively participate in the discussions. These are good things,
and while some are already required, it's good to see GTS actually step up.
But as a first message, it leaves a lot to be desired, both in terms of
when and in terms of what.

I appreciate the commitment to post and share further details, and look
forward to understanding GTS' concerns. I understand that there can be
challenges in getting approvals, and I can understand and appreciate CAs'
face challenges in public engagement, even though they're publicly trusted.
Yet that should still remain a common expectation of all publicly trusted
CAs. We know that when CAs present it as overly burdensome to engage
publicly, a number of behaviours tend to emerge that are overall harmful to
public trust. I hope you can take this feedback as a positive exhortation
to encourage the good, while highlighting deep concerns with the substance,
approach, and proposals and why it's worked out very poorly over the past
decade+.

If the concern is around extended revoked, I wholly agree there are
concerns there. I'm not sure I'm wholly onboard with Curt's processing
model either, and will respond separately to that, but I think it's a huge
and positive contribution that Curt's made, because it helps provide
something concrete to talk about. However, when there are concerns, it's
better for the discussion to plainly state that, rather than the spectre of
vague concerns. If it's something else, it helps to know what it is, and
I'm not sure a conversation hamstrung by 2-3+ day turnarounds, as currently
seems to be the suggestion, really helps show a CA being agile enough to
lead with good practices.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to