Hi Kurt, I'm moving this to its own subject line.
The verification stage (prior to placing an inclusion case in the public discussion queue) looks at whether the CA has provided the information. Some information about equitable ownership is usually provided in the CA's Value Justification document. Additionally, a review of information available online from government sources is used to determine/confirm the official legal name of the entity. However, we could do a better job at determining the equitable ownership and corporate relationships of CAs, if that is what you're getting at. For instance, press releases are sometimes a good source of information about majority shareholders. As you observe, it can get very complicated. Ben On Sat, Dec 10, 2022 at 3:40 PM Kurt Seifried <[email protected]> wrote: > I think the problem is that I look at statements like: > > The person conducting initial information verification uses the CCADB to > check the completeness of information about: > the CA owner, > the CA's auditor, > > These are very non-trivial things to verify and prove, witness > Trustcor's auditor maybe or maybe not being accredited at the time of the > audit. Ownership is nigh impossible to prove, e.g. Corp A owns the CA, but > what if a majority of Corp A's (unlisted) voting shares are held by a set > of companies that are actually interlocking? > > I guess what I'd like to see is "HOW" not just "WHAT", e.g. HOW do I > validate who owns the CA? HOW is the community supposed to accomplish these > things? > > > > On Mon, Dec 5, 2022 at 1:01 PM Ben Wilson <[email protected]> wrote: > >> Hi Kurt, >> With regard to Mozilla's process, here is some helpful information: >> https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion. >> Is this the kind of information you were looking for? If so, then we'll >> be copying similar text, with enhancements, over to the CCADB.org website >> (without the Mozilla-specific language), as further guidance. >> Thanks, >> Ben >> >> On Mon, Nov 21, 2022 at 11:43 AM Kurt Seifried <[email protected]> wrote: >> >>> Question: Are there any guidelines for bringing up concerns or >>> structuring arguments/evidence both in favor and against a new CA being >>> included? All the web page says: >>> >>> https://wiki.mozilla.org/CA >>> >>> Mozilla's dev-security-policy (MDSP) mailing list is used for >>> discussions of Mozilla policies related to security in general and CAs in >>> particular, and for wider discussions about the WebPKI. Among other things, >>> it is the preferred forum for the public-comment phase of CA evaluation. If >>> you are a regular participant in MDSP, then please add your name to the >>> Policy Participants page. >>> >>> >>> >>> >>> On Mon, Nov 21, 2022 at 11:39 AM Ben Wilson <[email protected]> wrote: >>> >>>> All, >>>> >>>> As previously announced, public discussions of root inclusion requests >>>> will be taking place on the CCADB public list. Public discussion of a >>>> request for inclusion by SERPRO is taking place there now through the end >>>> of the year. Here is a link to the relevant thread. >>>> >>>> https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/VVoTWfmQHgAJ >>>> >>>> Following public discussion, I will post a summary of the discussion on >>>> the CCADB Public list. At that point, public discussion will move to this >>>> list (m-d-s-p) for a one-week "last call" period. (See Step 7 in the >>>> Application >>>> Process <https://wiki.mozilla.org/CA/Application_Process>) >>>> >>>> Thanks, >>>> >>>> Ben >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> >>> -- >>> Kurt Seifried (He/Him) >>> [email protected] >>> >> > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYda9WwmJmh1m%3Dg8Ftv%2BHcgCD6nrnJZpB-0zSwjb%3DzeuA%40mail.gmail.com.
