Hi @AlvaHenrik, all of the people and organizations who originally started this project are all based in the United States, and it would be quite a challenge to try to incorporate or locate infrastructure abroad. It’s also not obvious to me that there is some jurisdiction that is unequivocally legally safer in this way. In some cases government pressure on technology and communications firms may just not have been widely publicly reported. I remember meeting with people from an industry association (that represented firms all over the world) and asking them about surveillance issues, to which they replied something like “oh, of course all of our members have to deal with demands from states and of course it’s not something they ever talk about in public”.
I’ve written and spoken elsewhere about some of the reasons that I don’t think that we would be a good target for an attempt at compelled misissuance. Maybe we can set these out in detail somewhere. Briefly, the organizations that created ISRG are especially committed to privacy and security and we’re working with lawyers who have been extremely active in challenging the U.S. government over surveillance issues. We have also begun publishing legal transparency reports including detailed statistics about governmental or legal requests (the first report shows that there have never been any such requests), and we’ve committed to using Certificate Transparency to publish every certificate that we issue, so we’re promising never to issue a certificate in secret. We hope to create a more transparent certificate issuance environment where we are not able to get away with misissuance, regardless of the reason for the misissuance event.
Because of the weakest-link problem with the CA system to date, it would probably be easier for governments that want to attack TLS via misissued certificates to find another CA (in any jurisdiction) that is less transparent and less disposed to do its utmost to fight back against such requests, and try to compel that CA instead of us. Maybe that will change for some attacks in the future as a result of adoption of technologies like CAA and HPKP, but for the general case right now, I don’t see a reason why any government would think that we’re the best CA to try to get misissued certs out of!
If people can think of additional transparency measures that we can adopt to try to ensure that we always get caught quickly if we ever misissue, we would love to hear about them!