We can provide some of our review documentation. I'll shoot to have something early next week. I'll plan to add any attachments to the bug, but will reply in this discussion to let folks know items are there.
Best, Brittany On Tuesday, February 22, 2022 at 2:12:50 AM UTC-7 [email protected] wrote: > > > On 21/2/2022 3:28 π.μ., Ryan Sleevi wrote: > > This speaks to Dimitris' point, or perhaps misunderstanding, about the > > root inclusion process. The suggestion of there being simply a three > > week review process overlooks the significant, and transparent, > > vetting that occurs on the CCADB Case and Bugzilla issue prior to > > acceptance, including, as has been previously mentioned, the detailed > > CP/CPS review by someone who regularly performs CP/CPS reviews, and > > with a vested interested towards protecting users. The incentives, > > process, and outcomes are all radically different with respect to > > subordination, and yet the risks are, at best, the same, or as > > previously highlighted, even greater than those risks of a root (due > > to shared fate). > > I would like to remind people that before Mozilla adopted the great > practice for detailed CP/CPS reviews by its own staff (with the > unquestionable incentives, experience that Ryan mentioned), the Mozilla > community contributed to these CP/CPS reviews. Members of the community, > including people associated with CAs and Browsers, were performing > reviews (perhaps not as detailed as the ones performed during the last 2 > years) and technical checks (for example CRLs, OCSP and other "publicly > visible" technical elements). > > My point is that we should not outright consider CA reviews as > non-trusted. In fact, any review is useful especially if it is publicly > disclosed. This is also supported in > https://wiki.mozilla.org/CA/Application_Verification#Public_discussion. > > If GoDaddy has performed such an analysis in Certainly's CP/CPS, I would > recommend its disclosure to this request so that members can > independently assess. It would also help Ben with his review during the > Root inclusion request process. > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/9f4a1f8a-9367-42f8-b414-956f64af9f4bn%40mozilla.org.
