Ben: Did I miss Andrew’s remarks being addressed? Or did you see them not as concerning as we did?
On Fri, Mar 4, 2022 at 5:07 PM Ben Wilson <[email protected]> wrote: > All, > > Today I read through the Certainly CP/CPS and reviewed the Compliance > Self-Assessment and GoDaddy's review documents. I did not see anything in > the CP/CPS that did not conform to the Mozilla Root Store Policy or the > CA/B Forum's Baseline Requirements. > > I also looked at the GoDaddy-Fastly cross-certificate profiles and did not > see anything that concerned me. > > The public comment period will close next Wednesday, 9-Mar-2022. Please > provide any additional comments you may have by then. > > Yours sincerely, > > Ben > > On Tue, Mar 1, 2022 at 11:43 PM 'Brittany Randall' via > [email protected] <[email protected]> wrote: > >> Regarding the GoDaddy CP/CPS review of Certainly, we have attached the >> following review artifacts to Bug 1755851 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851>: >> >> - Attachment Compendium.pdf >> - CPCPSReviewTracker.xlsx >> - CSAReview.zip (contains three files) >> - FastlyWebTrustAuditReportReview.zip (contains seven files) >> >> The first document, “Attachment Compendium.pdf” provides details and >> additional context for the remaining three attachments uploaded. Also, for >> reference, Certainly has published version 1.3 of the Certainly CP/CPS to >> https://certainly.com/repository/ >> >> Best, >> >> Brittany Randall >> >> On Friday, February 25, 2022 at 9:06:08 AM UTC-7 Brittany Randall wrote: >> >>> We can provide some of our review documentation. I'll shoot to have >>> something early next week. I'll plan to add any attachments to the bug, but >>> will reply in this discussion to let folks know items are there. >>> >>> Best, >>> >>> Brittany >>> >>> On Tuesday, February 22, 2022 at 2:12:50 AM UTC-7 [email protected] >>> wrote: >>> >>>> >>>> >>>> On 21/2/2022 3:28 π.μ., Ryan Sleevi wrote: >>>> > This speaks to Dimitris' point, or perhaps misunderstanding, about >>>> the >>>> > root inclusion process. The suggestion of there being simply a three >>>> > week review process overlooks the significant, and transparent, >>>> > vetting that occurs on the CCADB Case and Bugzilla issue prior to >>>> > acceptance, including, as has been previously mentioned, the detailed >>>> > CP/CPS review by someone who regularly performs CP/CPS reviews, and >>>> > with a vested interested towards protecting users. The incentives, >>>> > process, and outcomes are all radically different with respect to >>>> > subordination, and yet the risks are, at best, the same, or as >>>> > previously highlighted, even greater than those risks of a root (due >>>> > to shared fate). >>>> >>>> I would like to remind people that before Mozilla adopted the great >>>> practice for detailed CP/CPS reviews by its own staff (with the >>>> unquestionable incentives, experience that Ryan mentioned), the Mozilla >>>> community contributed to these CP/CPS reviews. Members of the >>>> community, >>>> including people associated with CAs and Browsers, were performing >>>> reviews (perhaps not as detailed as the ones performed during the last >>>> 2 >>>> years) and technical checks (for example CRLs, OCSP and other "publicly >>>> visible" technical elements). >>>> >>>> My point is that we should not outright consider CA reviews as >>>> non-trusted. In fact, any review is useful especially if it is publicly >>>> disclosed. This is also supported in >>>> https://wiki.mozilla.org/CA/Application_Verification#Public_discussion. >>>> >>>> >>>> If GoDaddy has performed such an analysis in Certainly's CP/CPS, I >>>> would >>>> recommend its disclosure to this request so that members can >>>> independently assess. It would also help Ben with his review during the >>>> Root inclusion request process. >>>> >>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d73a51c1-5f68-4626-b4a7-ea3643747a19n%40mozilla.org >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d73a51c1-5f68-4626-b4a7-ea3643747a19n%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTK4SA2h6f3ej8hGifT-7-EyWVaJd-z0nbwE3s%2BFoUCg%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTK4SA2h6f3ej8hGifT-7-EyWVaJd-z0nbwE3s%2BFoUCg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGMhUP7v0%2BL4%2Bo2%2BMyMp8e7jdLVO2f%3Dgr43fg0_A2xqGA%40mail.gmail.com.
