Root Inclusion Completeness Checks

320 views
Skip to first unread message

Ben Wilson

unread,
Dec 12, 2022, 12:19:28 PM12/12/22
to Kurt Seifried, dev-secur...@mozilla.org
Hi Kurt,

I'm moving this to its own subject line.

The verification stage (prior to placing an inclusion case in the public discussion queue) looks at whether the CA has provided the information.

Some information about equitable ownership is usually provided in the CA's Value Justification document. Additionally, a review of information available online from government sources is used to determine/confirm the official legal name of the entity. However, we could do a better job at determining the equitable ownership and corporate relationships of CAs, if that is what you're getting at. For instance, press releases are sometimes a good source of information about majority shareholders.

As you observe, it can get very complicated.

Ben

On Sat, Dec 10, 2022 at 3:40 PM Kurt Seifried <ku...@seifried.org> wrote:
I think the problem is that I look at statements like:

The person conducting initial information verification uses the CCADB to check the completeness of information about:
the CA owner,
the CA's auditor,

These are very non-trivial things to verify and prove, witness Trustcor's auditor maybe or maybe not being accredited at the time of the audit. Ownership is nigh impossible to prove, e.g. Corp A owns the CA, but what if a majority of Corp A's (unlisted) voting shares are held by a set of companies that are actually interlocking? 

I guess what I'd like to see is "HOW" not just "WHAT", e.g. HOW do I validate who owns the CA? HOW is the community supposed to accomplish these things?



On Mon, Dec 5, 2022 at 1:01 PM Ben Wilson <bwi...@mozilla.com> wrote:
Hi Kurt,
With regard to Mozilla's process, here is some helpful information: https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion
Is this the kind of information you were looking for?  If so, then we'll be copying similar text, with enhancements, over to the CCADB.org website (without the Mozilla-specific language), as further guidance.
Thanks,
Ben

On Mon, Nov 21, 2022 at 11:43 AM Kurt Seifried <ku...@seifried.org> wrote:
Question: Are there any guidelines for bringing up concerns or structuring arguments/evidence both in favor and against a new CA being included? All the web page says:


Mozilla's dev-security-policy (MDSP) mailing list is used for discussions of Mozilla policies related to security in general and CAs in particular, and for wider discussions about the WebPKI. Among other things, it is the preferred forum for the public-comment phase of CA evaluation. If you are a regular participant in MDSP, then please add your name to the Policy Participants page.




On Mon, Nov 21, 2022 at 11:39 AM Ben Wilson <bwi...@mozilla.com> wrote:
All,

As previously announced, public discussions of root inclusion requests will be taking place on the CCADB public list. Public discussion of a request for inclusion by SERPRO is taking place there now through the end of the year. Here is a link to the relevant thread.

Following public discussion, I will post a summary of the discussion on the CCADB Public list.  At that point, public discussion will move to this list (m-d-s-p) for a one-week "last call" period. (See Step 7 in the Application Process)

Thanks,

Ben

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com.


--
Kurt Seifried (He/Him)
ku...@seifried.org


--
Kurt Seifried (He/Him)
ku...@seifried.org

Kurt Seifried

unread,
Dec 12, 2022, 12:37:51 PM12/12/22
to Ben Wilson, dev-secur...@mozilla.org
Can you share/link the Mozilla processes for verifying these documents/ownership/etc?

Ben Wilson

unread,
Dec 12, 2022, 1:04:22 PM12/12/22
to Kurt Seifried, dev-secur...@mozilla.org
Kurt,
I'll see if there is anything I can provide that might be helpful.
Ben

Kurt Seifried

unread,
Dec 22, 2022, 12:46:28 PM12/22/22
to Ben Wilson, dev-secur...@mozilla.org
Ping, any movement on this?

Ben Wilson

unread,
Dec 22, 2022, 12:49:05 PM12/22/22
to Kurt Seifried, dev-secur...@mozilla.org
Currently, I am very busy working on the CCADB updates.
Maybe I can provide something in January.
Thanks for your patience.
Ben
Reply all
Reply to author
Forward
0 new messages