On Thu, Mar 12, 2020 at 10:58 AM Jeremy Rowley <jeremy.row...@digicert.com> wrote:
> I think this statement is not accurate: "As a result, CAs don’t pursue > automation, or when they support it, neither promote nor require it." I > know very few CAs who want to spend extra resources on manual validations > and just as few who don't support some level of automation. The manual > methods are generally used because so many companies haven't automated this > process or refuse to. I think it'd be hard pressed to find many CAs that, as part of their sales/outreach, promote automation first. I don't deny that there are many CAs that support automation (indeed, over 99% of issuance is from CAs that support automation in some form), but when the first touch for many organizations, large or small, remains manual validation methods such as "paste a CSR", that's hardly an inaccurate statement. It's equally rare to find a CA that states that manual methods may require costs commiserate with their effort, or in any way indicate to a Subscriber that the lack of automation represents a burden that the Subscriber has some culpability in bearing. I certainly don't know of many CAs who actively refuse to issue certain types of certificates, absent automation. > The automated methods weren't even codified until ballot 169 which was > late 2016. We're at less than 4 years for automation being a real option. > Although I don't have empirical data for other CAs, the LE adoption rate (a > billion certs since indicates a fairly rapid adoption of automated methods > compared to other changes in the industry. > That's not at all true, even remotely. Ballot 169 hardly codified automated methods, and a number of CAs had long offered automated solutions before then. Especially under the pre-existing "Any other method" validation, CAs had plenty of room for automation, and had been using so for some time (this, in turn, influenced Ballot 169) I hate to haggle in the weeds here, since the conversation is really about lifetimes, but I think the record deserves correcting, because it cuts to the heart: which is that automation has long been known, and supported, and the only appreciable difference is not the difficulty, but the recalcitrance to push forward on that. In many ways, this is because CAs are a fungible commodity, and if one CA requires automation for their issuance, a Subscriber can just as easily go to another CA that does not require automation. As a consequence, CAs have strong negative externalities towards security-positive improvements. The balance for those externalities is the imposition of requirements by user agents, acting on behalf of the user, to ensure that user's needs (of site operators and CAs) are reflected, since the entirety of the Web PKI exists for the user's benefit of being assured about the domain/origin. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy