I think the problem is that I look at statements like:The person conducting initial information verification uses the CCADB to check the completeness of information about:
the CA owner,
the CA's auditor,These are very non-trivial things to verify and prove, witness Trustcor's auditor maybe or maybe not being accredited at the time of the audit. Ownership is nigh impossible to prove, e.g. Corp A owns the CA, but what if a majority of Corp A's (unlisted) voting shares are held by a set of companies that are actually interlocking?I guess what I'd like to see is "HOW" not just "WHAT", e.g. HOW do I validate who owns the CA? HOW is the community supposed to accomplish these things?On Mon, Dec 5, 2022 at 1:01 PM Ben Wilson <bwi...@mozilla.com> wrote:Hi Kurt,With regard to Mozilla's process, here is some helpful information: https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion.Is this the kind of information you were looking for? If so, then we'll be copying similar text, with enhancements, over to the CCADB.org website (without the Mozilla-specific language), as further guidance.Thanks,Ben
On Mon, Nov 21, 2022 at 11:43 AM Kurt Seifried <ku...@seifried.org> wrote:Question: Are there any guidelines for bringing up concerns or structuring arguments/evidence both in favor and against a new CA being included? All the web page says:Mozilla's dev-security-policy (MDSP) mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. Among other things, it is the preferred forum for the public-comment phase of CA evaluation. If you are a regular participant in MDSP, then please add your name to the Policy Participants page.On Mon, Nov 21, 2022 at 11:39 AM Ben Wilson <bwi...@mozilla.com> wrote:--All,As previously announced, public discussions of root inclusion requests will be taking place on the CCADB public list. Public discussion of a request for inclusion by SERPRO is taking place there now through the end of the year. Here is a link to the relevant thread.Following public discussion, I will post a summary of the discussion on the CCADB Public list. At that point, public discussion will move to this list (m-d-s-p) for a one-week "last call" period. (See Step 7 in the Application Process)Thanks,Ben
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com.
--Kurt Seifried (He/Him)
ku...@seifried.org--Kurt Seifried (He/Him)
ku...@seifried.org