I think the problem is that I look at statements like: The person conducting initial information verification uses the CCADB to check the completeness of information about: the CA owner, the CA's auditor,
These are very non-trivial things to verify and prove, witness Trustcor's auditor maybe or maybe not being accredited at the time of the audit. Ownership is nigh impossible to prove, e.g. Corp A owns the CA, but what if a majority of Corp A's (unlisted) voting shares are held by a set of companies that are actually interlocking? I guess what I'd like to see is "HOW" not just "WHAT", e.g. HOW do I validate who owns the CA? HOW is the community supposed to accomplish these things? On Mon, Dec 5, 2022 at 1:01 PM Ben Wilson <[email protected]> wrote: > Hi Kurt, > With regard to Mozilla's process, here is some helpful information: > https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion. > Is this the kind of information you were looking for? If so, then we'll > be copying similar text, with enhancements, over to the CCADB.org website > (without the Mozilla-specific language), as further guidance. > Thanks, > Ben > > On Mon, Nov 21, 2022 at 11:43 AM Kurt Seifried <[email protected]> wrote: > >> Question: Are there any guidelines for bringing up concerns or >> structuring arguments/evidence both in favor and against a new CA being >> included? All the web page says: >> >> https://wiki.mozilla.org/CA >> >> Mozilla's dev-security-policy (MDSP) mailing list is used for discussions >> of Mozilla policies related to security in general and CAs in particular, >> and for wider discussions about the WebPKI. Among other things, it is the >> preferred forum for the public-comment phase of CA evaluation. If you are a >> regular participant in MDSP, then please add your name to the Policy >> Participants page. >> >> >> >> >> On Mon, Nov 21, 2022 at 11:39 AM Ben Wilson <[email protected]> wrote: >> >>> All, >>> >>> As previously announced, public discussions of root inclusion requests >>> will be taking place on the CCADB public list. Public discussion of a >>> request for inclusion by SERPRO is taking place there now through the end >>> of the year. Here is a link to the relevant thread. >>> >>> https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/VVoTWfmQHgAJ >>> >>> Following public discussion, I will post a summary of the discussion on >>> the CCADB Public list. At that point, public discussion will move to this >>> list (m-d-s-p) for a one-week "last call" period. (See Step 7 in the >>> Application >>> Process <https://wiki.mozilla.org/CA/Application_Process>) >>> >>> Thanks, >>> >>> Ben >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Kurt Seifried (He/Him) >> [email protected] >> > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-6wk65BvQ0B7d2QrinUm8zcsNFgwYkedsYbgUt8_xCxw%40mail.gmail.com.
