Regarding the GoDaddy CP/CPS review of Certainly, we have attached the following review artifacts to Bug 1755851 <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851>:
- Attachment Compendium.pdf - CPCPSReviewTracker.xlsx - CSAReview.zip (contains three files) - FastlyWebTrustAuditReportReview.zip (contains seven files) The first document, “Attachment Compendium.pdf” provides details and additional context for the remaining three attachments uploaded. Also, for reference, Certainly has published version 1.3 of the Certainly CP/CPS to https://certainly.com/repository/ Best, Brittany Randall On Friday, February 25, 2022 at 9:06:08 AM UTC-7 Brittany Randall wrote: > We can provide some of our review documentation. I'll shoot to have > something early next week. I'll plan to add any attachments to the bug, but > will reply in this discussion to let folks know items are there. > > Best, > > Brittany > > On Tuesday, February 22, 2022 at 2:12:50 AM UTC-7 [email protected] wrote: > >> >> >> On 21/2/2022 3:28 π.μ., Ryan Sleevi wrote: >> > This speaks to Dimitris' point, or perhaps misunderstanding, about the >> > root inclusion process. The suggestion of there being simply a three >> > week review process overlooks the significant, and transparent, >> > vetting that occurs on the CCADB Case and Bugzilla issue prior to >> > acceptance, including, as has been previously mentioned, the detailed >> > CP/CPS review by someone who regularly performs CP/CPS reviews, and >> > with a vested interested towards protecting users. The incentives, >> > process, and outcomes are all radically different with respect to >> > subordination, and yet the risks are, at best, the same, or as >> > previously highlighted, even greater than those risks of a root (due >> > to shared fate). >> >> I would like to remind people that before Mozilla adopted the great >> practice for detailed CP/CPS reviews by its own staff (with the >> unquestionable incentives, experience that Ryan mentioned), the Mozilla >> community contributed to these CP/CPS reviews. Members of the community, >> including people associated with CAs and Browsers, were performing >> reviews (perhaps not as detailed as the ones performed during the last 2 >> years) and technical checks (for example CRLs, OCSP and other "publicly >> visible" technical elements). >> >> My point is that we should not outright consider CA reviews as >> non-trusted. In fact, any review is useful especially if it is publicly >> disclosed. This is also supported in >> https://wiki.mozilla.org/CA/Application_Verification#Public_discussion. >> >> If GoDaddy has performed such an analysis in Certainly's CP/CPS, I would >> recommend its disclosure to this request so that members can >> independently assess. It would also help Ben with his review during the >> Root inclusion request process. >> >> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d73a51c1-5f68-4626-b4a7-ea3643747a19n%40mozilla.org.
