On 21/2/2022 3:28 π.μ., Ryan Sleevi wrote:
This speaks to Dimitris' point, or perhaps misunderstanding, about the root inclusion process. The suggestion of there being simply a three week review process overlooks the significant, and transparent, vetting that occurs on the CCADB Case and Bugzilla issue prior to acceptance, including, as has been previously mentioned, the detailed CP/CPS review by someone who regularly performs CP/CPS reviews, and with a vested interested towards protecting users. The incentives, process, and outcomes are all radically different with respect to subordination, and yet the risks are, at best, the same, or as previously highlighted, even greater than those risks of a root (due to shared fate).
I would like to remind people that before Mozilla adopted the great practice for detailed CP/CPS reviews by its own staff (with the unquestionable incentives, experience that Ryan mentioned), the Mozilla community contributed to these CP/CPS reviews. Members of the community, including people associated with CAs and Browsers, were performing reviews (perhaps not as detailed as the ones performed during the last 2 years) and technical checks (for example CRLs, OCSP and other "publicly visible" technical elements).
My point is that we should not outright consider CA reviews as non-trusted. In fact, any review is useful especially if it is publicly disclosed. This is also supported in https://wiki.mozilla.org/CA/Application_Verification#Public_discussion.
If GoDaddy has performed such an analysis in Certainly's CP/CPS, I would recommend its disclosure to this request so that members can independently assess. It would also help Ben with his review during the Root inclusion request process.
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/737a873e-d8ed-69ad-1b4a-e83a3c374f50%40it.auth.gr.
