Ryan, The language I read states, "Certainly validates domain control primarily in an automated fashion using the ACME protocol."
The other language is no longer there. Ben On Fri, Mar 4, 2022 at 4:16 PM Ben Wilson <[email protected]> wrote: > Ryan, > Let me compare what I reviewed (CP/CPS dated March 1, 2022) with what > Andrew reviewed and get back to you. > Ben > > On Fri, Mar 4, 2022 at 3:56 PM Ryan Sleevi <[email protected]> wrote: > >> Ben: >> >> Did I miss Andrew’s remarks being addressed? Or did you see them not as >> concerning as we did? >> >> On Fri, Mar 4, 2022 at 5:07 PM Ben Wilson <[email protected]> wrote: >> >>> All, >>> >>> Today I read through the Certainly CP/CPS and reviewed the Compliance >>> Self-Assessment and GoDaddy's review documents. I did not see anything in >>> the CP/CPS that did not conform to the Mozilla Root Store Policy or the >>> CA/B Forum's Baseline Requirements. >>> >>> I also looked at the GoDaddy-Fastly cross-certificate profiles and did >>> not see anything that concerned me. >>> >>> The public comment period will close next Wednesday, 9-Mar-2022. Please >>> provide any additional comments you may have by then. >>> >>> Yours sincerely, >>> >>> Ben >>> >>> On Tue, Mar 1, 2022 at 11:43 PM 'Brittany Randall' via >>> [email protected] <[email protected]> wrote: >>> >>>> Regarding the GoDaddy CP/CPS review of Certainly, we have attached the >>>> following review artifacts to Bug 1755851 >>>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851>: >>>> >>>> - Attachment Compendium.pdf >>>> - CPCPSReviewTracker.xlsx >>>> - CSAReview.zip (contains three files) >>>> - FastlyWebTrustAuditReportReview.zip (contains seven files) >>>> >>>> The first document, “Attachment Compendium.pdf” provides details and >>>> additional context for the remaining three attachments uploaded. Also, for >>>> reference, Certainly has published version 1.3 of the Certainly CP/CPS to >>>> https://certainly.com/repository/ >>>> >>>> Best, >>>> >>>> Brittany Randall >>>> >>>> On Friday, February 25, 2022 at 9:06:08 AM UTC-7 Brittany Randall wrote: >>>> >>>>> We can provide some of our review documentation. I'll shoot to have >>>>> something early next week. I'll plan to add any attachments to the bug, >>>>> but >>>>> will reply in this discussion to let folks know items are there. >>>>> >>>>> Best, >>>>> >>>>> Brittany >>>>> >>>>> On Tuesday, February 22, 2022 at 2:12:50 AM UTC-7 [email protected] >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On 21/2/2022 3:28 π.μ., Ryan Sleevi wrote: >>>>>> > This speaks to Dimitris' point, or perhaps misunderstanding, about >>>>>> the >>>>>> > root inclusion process. The suggestion of there being simply a >>>>>> three >>>>>> > week review process overlooks the significant, and transparent, >>>>>> > vetting that occurs on the CCADB Case and Bugzilla issue prior to >>>>>> > acceptance, including, as has been previously mentioned, the >>>>>> detailed >>>>>> > CP/CPS review by someone who regularly performs CP/CPS reviews, and >>>>>> > with a vested interested towards protecting users. The incentives, >>>>>> > process, and outcomes are all radically different with respect to >>>>>> > subordination, and yet the risks are, at best, the same, or as >>>>>> > previously highlighted, even greater than those risks of a root >>>>>> (due >>>>>> > to shared fate). >>>>>> >>>>>> I would like to remind people that before Mozilla adopted the great >>>>>> practice for detailed CP/CPS reviews by its own staff (with the >>>>>> unquestionable incentives, experience that Ryan mentioned), the >>>>>> Mozilla >>>>>> community contributed to these CP/CPS reviews. Members of the >>>>>> community, >>>>>> including people associated with CAs and Browsers, were performing >>>>>> reviews (perhaps not as detailed as the ones performed during the >>>>>> last 2 >>>>>> years) and technical checks (for example CRLs, OCSP and other >>>>>> "publicly >>>>>> visible" technical elements). >>>>>> >>>>>> My point is that we should not outright consider CA reviews as >>>>>> non-trusted. In fact, any review is useful especially if it is >>>>>> publicly >>>>>> disclosed. This is also supported in >>>>>> https://wiki.mozilla.org/CA/Application_Verification#Public_discussion. >>>>>> >>>>>> >>>>>> If GoDaddy has performed such an analysis in Certainly's CP/CPS, I >>>>>> would >>>>>> recommend its disclosure to this request so that members can >>>>>> independently assess. It would also help Ben with his review during >>>>>> the >>>>>> Root inclusion request process. >>>>>> >>>>>> >>>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d73a51c1-5f68-4626-b4a7-ea3643747a19n%40mozilla.org >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d73a51c1-5f68-4626-b4a7-ea3643747a19n%40mozilla.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTK4SA2h6f3ej8hGifT-7-EyWVaJd-z0nbwE3s%2BFoUCg%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTK4SA2h6f3ej8hGifT-7-EyWVaJd-z0nbwE3s%2BFoUCg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabymy-W2hcQG4GcqKcKW%3Dg3CQbeBOmX8yxvkHfzuF%3DPTw%40mail.gmail.com.
