Ryan, Let me compare what I reviewed (CP/CPS dated March 1, 2022) with what Andrew reviewed and get back to you. Ben
On Fri, Mar 4, 2022 at 3:56 PM Ryan Sleevi <[email protected]> wrote: > Ben: > > Did I miss Andrew’s remarks being addressed? Or did you see them not as > concerning as we did? > > On Fri, Mar 4, 2022 at 5:07 PM Ben Wilson <[email protected]> wrote: > >> All, >> >> Today I read through the Certainly CP/CPS and reviewed the Compliance >> Self-Assessment and GoDaddy's review documents. I did not see anything in >> the CP/CPS that did not conform to the Mozilla Root Store Policy or the >> CA/B Forum's Baseline Requirements. >> >> I also looked at the GoDaddy-Fastly cross-certificate profiles and did >> not see anything that concerned me. >> >> The public comment period will close next Wednesday, 9-Mar-2022. Please >> provide any additional comments you may have by then. >> >> Yours sincerely, >> >> Ben >> >> On Tue, Mar 1, 2022 at 11:43 PM 'Brittany Randall' via >> [email protected] <[email protected]> wrote: >> >>> Regarding the GoDaddy CP/CPS review of Certainly, we have attached the >>> following review artifacts to Bug 1755851 >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851>: >>> >>> - Attachment Compendium.pdf >>> - CPCPSReviewTracker.xlsx >>> - CSAReview.zip (contains three files) >>> - FastlyWebTrustAuditReportReview.zip (contains seven files) >>> >>> The first document, “Attachment Compendium.pdf” provides details and >>> additional context for the remaining three attachments uploaded. Also, for >>> reference, Certainly has published version 1.3 of the Certainly CP/CPS to >>> https://certainly.com/repository/ >>> >>> Best, >>> >>> Brittany Randall >>> >>> On Friday, February 25, 2022 at 9:06:08 AM UTC-7 Brittany Randall wrote: >>> >>>> We can provide some of our review documentation. I'll shoot to have >>>> something early next week. I'll plan to add any attachments to the bug, but >>>> will reply in this discussion to let folks know items are there. >>>> >>>> Best, >>>> >>>> Brittany >>>> >>>> On Tuesday, February 22, 2022 at 2:12:50 AM UTC-7 [email protected] >>>> wrote: >>>> >>>>> >>>>> >>>>> On 21/2/2022 3:28 π.μ., Ryan Sleevi wrote: >>>>> > This speaks to Dimitris' point, or perhaps misunderstanding, about >>>>> the >>>>> > root inclusion process. The suggestion of there being simply a three >>>>> > week review process overlooks the significant, and transparent, >>>>> > vetting that occurs on the CCADB Case and Bugzilla issue prior to >>>>> > acceptance, including, as has been previously mentioned, the >>>>> detailed >>>>> > CP/CPS review by someone who regularly performs CP/CPS reviews, and >>>>> > with a vested interested towards protecting users. The incentives, >>>>> > process, and outcomes are all radically different with respect to >>>>> > subordination, and yet the risks are, at best, the same, or as >>>>> > previously highlighted, even greater than those risks of a root (due >>>>> > to shared fate). >>>>> >>>>> I would like to remind people that before Mozilla adopted the great >>>>> practice for detailed CP/CPS reviews by its own staff (with the >>>>> unquestionable incentives, experience that Ryan mentioned), the >>>>> Mozilla >>>>> community contributed to these CP/CPS reviews. Members of the >>>>> community, >>>>> including people associated with CAs and Browsers, were performing >>>>> reviews (perhaps not as detailed as the ones performed during the last >>>>> 2 >>>>> years) and technical checks (for example CRLs, OCSP and other >>>>> "publicly >>>>> visible" technical elements). >>>>> >>>>> My point is that we should not outright consider CA reviews as >>>>> non-trusted. In fact, any review is useful especially if it is >>>>> publicly >>>>> disclosed. This is also supported in >>>>> https://wiki.mozilla.org/CA/Application_Verification#Public_discussion. >>>>> >>>>> >>>>> If GoDaddy has performed such an analysis in Certainly's CP/CPS, I >>>>> would >>>>> recommend its disclosure to this request so that members can >>>>> independently assess. It would also help Ben with his review during >>>>> the >>>>> Root inclusion request process. >>>>> >>>>> >>>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d73a51c1-5f68-4626-b4a7-ea3643747a19n%40mozilla.org >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d73a51c1-5f68-4626-b4a7-ea3643747a19n%40mozilla.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTK4SA2h6f3ej8hGifT-7-EyWVaJd-z0nbwE3s%2BFoUCg%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTK4SA2h6f3ej8hGifT-7-EyWVaJd-z0nbwE3s%2BFoUCg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZxXMZnGzLjosR7a6eYtXTNnNt0f%3Dp7RAJKAVQ2VuV%3Duw%40mail.gmail.com.
