Can you share/link the Mozilla processes for verifying these documents/ownership/etc?
On Mon, Dec 12, 2022 at 10:19 AM Ben Wilson <[email protected]> wrote: > Hi Kurt, > > I'm moving this to its own subject line. > > The verification stage (prior to placing an inclusion case in the public > discussion queue) looks at whether the CA has provided the information. > > Some information about equitable ownership is usually provided in the CA's > Value Justification document. Additionally, a review of information > available online from government sources is used to determine/confirm the > official legal name of the entity. However, we could do a better job at > determining the equitable ownership and corporate relationships of CAs, if > that is what you're getting at. For instance, press releases are sometimes > a good source of information about majority shareholders. > > As you observe, it can get very complicated. > > Ben > > On Sat, Dec 10, 2022 at 3:40 PM Kurt Seifried <[email protected]> wrote: > >> I think the problem is that I look at statements like: >> >> The person conducting initial information verification uses the CCADB to >> check the completeness of information about: >> the CA owner, >> the CA's auditor, >> >> These are very non-trivial things to verify and prove, witness >> Trustcor's auditor maybe or maybe not being accredited at the time of the >> audit. Ownership is nigh impossible to prove, e.g. Corp A owns the CA, but >> what if a majority of Corp A's (unlisted) voting shares are held by a set >> of companies that are actually interlocking? >> >> I guess what I'd like to see is "HOW" not just "WHAT", e.g. HOW do I >> validate who owns the CA? HOW is the community supposed to accomplish these >> things? >> >> >> >> On Mon, Dec 5, 2022 at 1:01 PM Ben Wilson <[email protected]> wrote: >> >>> Hi Kurt, >>> With regard to Mozilla's process, here is some helpful information: >>> https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion. >>> >>> Is this the kind of information you were looking for? If so, then we'll >>> be copying similar text, with enhancements, over to the CCADB.org website >>> (without the Mozilla-specific language), as further guidance. >>> Thanks, >>> Ben >>> >>> On Mon, Nov 21, 2022 at 11:43 AM Kurt Seifried <[email protected]> >>> wrote: >>> >>>> Question: Are there any guidelines for bringing up concerns or >>>> structuring arguments/evidence both in favor and against a new CA being >>>> included? All the web page says: >>>> >>>> https://wiki.mozilla.org/CA >>>> >>>> Mozilla's dev-security-policy (MDSP) mailing list is used for >>>> discussions of Mozilla policies related to security in general and CAs in >>>> particular, and for wider discussions about the WebPKI. Among other things, >>>> it is the preferred forum for the public-comment phase of CA evaluation. If >>>> you are a regular participant in MDSP, then please add your name to the >>>> Policy Participants page. >>>> >>>> >>>> >>>> >>>> On Mon, Nov 21, 2022 at 11:39 AM Ben Wilson <[email protected]> >>>> wrote: >>>> >>>>> All, >>>>> >>>>> As previously announced, public discussions of root inclusion requests >>>>> will be taking place on the CCADB public list. Public discussion of a >>>>> request for inclusion by SERPRO is taking place there now through the end >>>>> of the year. Here is a link to the relevant thread. >>>>> >>>>> https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/VVoTWfmQHgAJ >>>>> >>>>> Following public discussion, I will post a summary of the discussion >>>>> on the CCADB Public list. At that point, public discussion will move to >>>>> this list (m-d-s-p) for a one-week "last call" period. (See Step 7 in the >>>>> Application >>>>> Process <https://wiki.mozilla.org/CA/Application_Process>) >>>>> >>>>> Thanks, >>>>> >>>>> Ben >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "[email protected]" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> >>>> -- >>>> Kurt Seifried (He/Him) >>>> [email protected] >>>> >>> >> >> -- >> Kurt Seifried (He/Him) >> [email protected] >> > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa39KC7BeSvrGvcAFQYiPQ3vktk36e3gPfew-YUB%2BSqpGcA%40mail.gmail.com.
