Discussion of SERPRO Inclusion Request on CCADB Public

Ben Wilson

unread,

Nov 21, 2022, 1:39:09 PM11/21/22

to dev-secur...@mozilla.org

All,

As previously announced, public discussions of root inclusion requests will be taking place on the CCADB public list. Public discussion of a request for inclusion by SERPRO is taking place there now through the end of the year. Here is a link to the relevant thread.

https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/VVoTWfmQHgAJ

Following public discussion, I will post a summary of the discussion on the CCADB Public list. At that point, public discussion will move to this list (m-d-s-p) for a one-week "last call" period. (See Step 7 in the Application Process)

Thanks,

Ben

Kurt Seifried

unread,

Nov 21, 2022, 1:43:25 PM11/21/22

to Ben Wilson, dev-secur...@mozilla.org

Question: Are there any guidelines for bringing up concerns or structuring arguments/evidence both in favor and against a new CA being included? All the web page says:

https://wiki.mozilla.org/CA

Mozilla's dev-security-policy (MDSP) mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. Among other things, it is the preferred forum for the public-comment phase of CA evaluation. If you are a regular participant in MDSP, then please add your name to the Policy Participants page.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com.

--

Kurt Seifried (He/Him)
ku...@seifried.org

Ben Wilson

unread,

Dec 5, 2022, 3:01:29 PM12/5/22

to Kurt Seifried, dev-secur...@mozilla.org

Hi Kurt,

With regard to Mozilla's process, here is some helpful information: https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion.

Is this the kind of information you were looking for? If so, then we'll be copying similar text, with enhancements, over to the CCADB.org website (without the Mozilla-specific language), as further guidance.

Thanks,

Ben

Kurt Seifried

unread,

Dec 10, 2022, 5:40:35 PM12/10/22

to Ben Wilson, dev-secur...@mozilla.org

I think the problem is that I look at statements like:

The person conducting initial information verification uses the CCADB to check the completeness of information about:
the CA owner,
the CA's auditor,

These are very non-trivial things to verify and prove, witness Trustcor's auditor maybe or maybe not being accredited at the time of the audit. Ownership is nigh impossible to prove, e.g. Corp A owns the CA, but what if a majority of Corp A's (unlisted) voting shares are held by a set of companies that are actually interlocking?

I guess what I'd like to see is "HOW" not just "WHAT", e.g. HOW do I validate who owns the CA? HOW is the community supposed to accomplish these things?

Reply all

Reply to author

Forward