[Writing in a personal capacity, these views do not represent those of my employer]
On Wednesday, March 6, 2019 at 7:51:21 AM UTC-8, Ryan Sleevi wrote: > > As it relates to TLS certificates, which is the purpose of discussion for > this root inclusion, could you highlight or explain why "citizens, > residents, and visitors" do not have access to TLS certificates, or how > those protections offered by DarkMatter are somehow different? > > I highlight this, because given the inherently global nature of the > Internet, there is no technical need to work with local CAs, and, with a > well-run root store, all CAs provide an equivalent level of protection and > security, which rests in the domain authorization. This has been raised several times, somewhat dismissively in this thread, so I felt like speaking out. Setting aside the discussion about DarkMatter specifically, here are some ways in which having a CA in a new jurisdiction that isn't currently represented in the ecosystem can bring value: * Allow users to transact business in their normal currency * Allow users to transact business without international currency usage fees * A "domestic" CA is far more likely to be able to do business in the local language compared to CAs that don't have any presence in a country where that language is spoken. * Many, if not all, subscription agreements have a choice of venue clause in them. A "local" CA allows subscribers to ensure the contract is subject to their local laws rather than those of a foreign country * There are many other factors easier to transact business domestically than internationally, even with things as benign as contacting the CA by phone or mail. [Further discussion about choice in the marketplace elided to keep this mail more on point] > This is, of course, > comparable to the domain name system of gTLDs (rather than ccTLDs), which > is inherently global in nature. The reasons above might help to explain why https://www.icann.org/registrar-reports/accredited-list.html lists almost 2500 domain registrars in 70 different countries. Again, I'm not taking any sort of position on DarkMatter's inclusion request. I just want to point out that while more CAs may add risk to the ecosystem, more choice for subscribers adds value as well, and the trade-off shouldn't be so easily dismissed. Benjamin _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy