All, Here are some of my thoughts.
The current policy allows cross-signing of externally operated CAs. What GoDaddy proposes to do with Certainly is the current practice. In this case, Certainly happens to have an application to have its root trusted directly in the root store, which is actually a better scenario than one in which the cross-signed external operator does not intend to seek direct inclusion in the root store. The wiki page ( https://wiki.mozilla.org/CA/External_Sub_CAs_not_Technically_Constrained) clarifies how public discussion is to occur. It can be improved as needed, but it does not contemplate that the regular application for root inclusion should delay the process. There are two different trust decisions and processes presented here. Certainly will still have to meet all of the steps that other CA operators are required to meet for root inclusion, although some of these tasks will be closer to completion due to the fact that Certainly is going through this process with GoDaddy. I suppose we can review the prioritization criteria <https://wiki.mozilla.org/CA/Prioritization> and see whether anything needs amendment. The announced three-week period should be sufficient for people to more closely examine Certainly, to ask questions, and to bring comments forward regarding whether they believe Certainly is an appropriate entity to operate a subCA under GoDaddy's root. Thanks, Ben On Thu, Feb 17, 2022 at 5:18 PM Ryan Sleevi <[email protected]> wrote: > > > On Thu, Feb 17, 2022 at 2:52 PM Wayne Thayer <[email protected]> wrote: > >> *You will recall participating in the discussion of this policy in 2021 >> [2], at which time some similar ideas were suggested by others. I >> acknowledge that Mozilla has the right to perform whatever due diligence >> they deem appropriate to protect users; however, the decision to do so >> should not be arbitrary. What you are proposing amounts to a retroactive >> policy change.* >> > > I'm not sure that it would amount to a retroactive policy change? Doesn't > that conclusion assume that a positive dispensation should be automatically > granted? > > From that same policy document: > >> Following public discussion, the Mozilla CA Program Manager will >> determine whether the subCA operator will be accepted, and update the >> corresponding CCADB record to indicate the result. > > > and > >> After a minimum of 3 weeks have passed, a Mozilla representative will >> announce a one-week “last call” for objections. Mozilla may determine to >> extend public discussion, or approve or reject the subCA operator. > > > I'm suggesting that it would be prudent to either reject, or, > alternatively, extend, public discussion until the two processes are in > sync. > > I'm not trying to suggest GoDaddy has done anything wrong in starting this > process; as you highlight, it's following the established policy. But I'm > suggesting that given the lack of broader context at this time (e.g. the > information gathering and review, the detailed CP/CPS assessment) may be > sufficient reason to consider holding off accepting. And I did try to > capture that if the decision is to accept the sub-CA, at this time, then > it's functionally no different than accepting the root CA without those > processes being completed. > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHHXiw7ienF%2BJ%3D0wnka5nusYryZ7ZqqNkco8o8Sev1MQ5g%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHHXiw7ienF%2BJ%3D0wnka5nusYryZ7ZqqNkco8o8Sev1MQ5g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYsdeYR8_3Tupn3e0QpjV%3DCY%3DT5JOG0-u-Vs74QY3f3pA%40mail.gmail.com.
