Kurt, I'll see if there is anything I can provide that might be helpful. Ben
On Mon, Dec 12, 2022 at 10:37 AM Kurt Seifried <[email protected]> wrote: > Can you share/link the Mozilla processes for verifying these > documents/ownership/etc? > > On Mon, Dec 12, 2022 at 10:19 AM Ben Wilson <[email protected]> wrote: > >> Hi Kurt, >> >> I'm moving this to its own subject line. >> >> The verification stage (prior to placing an inclusion case in the public >> discussion queue) looks at whether the CA has provided the information. >> >> Some information about equitable ownership is usually provided in the >> CA's Value Justification document. Additionally, a review of information >> available online from government sources is used to determine/confirm the >> official legal name of the entity. However, we could do a better job at >> determining the equitable ownership and corporate relationships of CAs, if >> that is what you're getting at. For instance, press releases are sometimes >> a good source of information about majority shareholders. >> >> As you observe, it can get very complicated. >> >> Ben >> >> On Sat, Dec 10, 2022 at 3:40 PM Kurt Seifried <[email protected]> wrote: >> >>> I think the problem is that I look at statements like: >>> >>> The person conducting initial information verification uses the CCADB to >>> check the completeness of information about: >>> the CA owner, >>> the CA's auditor, >>> >>> These are very non-trivial things to verify and prove, witness >>> Trustcor's auditor maybe or maybe not being accredited at the time of the >>> audit. Ownership is nigh impossible to prove, e.g. Corp A owns the CA, but >>> what if a majority of Corp A's (unlisted) voting shares are held by a set >>> of companies that are actually interlocking? >>> >>> I guess what I'd like to see is "HOW" not just "WHAT", e.g. HOW do I >>> validate who owns the CA? HOW is the community supposed to accomplish these >>> things? >>> >>> >>> >>> On Mon, Dec 5, 2022 at 1:01 PM Ben Wilson <[email protected]> wrote: >>> >>>> Hi Kurt, >>>> With regard to Mozilla's process, here is some helpful information: >>>> https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion. >>>> >>>> Is this the kind of information you were looking for? If so, then >>>> we'll be copying similar text, with enhancements, over to the CCADB.org >>>> website (without the Mozilla-specific language), as further guidance. >>>> Thanks, >>>> Ben >>>> >>>> On Mon, Nov 21, 2022 at 11:43 AM Kurt Seifried <[email protected]> >>>> wrote: >>>> >>>>> Question: Are there any guidelines for bringing up concerns or >>>>> structuring arguments/evidence both in favor and against a new CA being >>>>> included? All the web page says: >>>>> >>>>> https://wiki.mozilla.org/CA >>>>> >>>>> Mozilla's dev-security-policy (MDSP) mailing list is used for >>>>> discussions of Mozilla policies related to security in general and CAs in >>>>> particular, and for wider discussions about the WebPKI. Among other >>>>> things, >>>>> it is the preferred forum for the public-comment phase of CA evaluation. >>>>> If >>>>> you are a regular participant in MDSP, then please add your name to the >>>>> Policy Participants page. >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Nov 21, 2022 at 11:39 AM Ben Wilson <[email protected]> >>>>> wrote: >>>>> >>>>>> All, >>>>>> >>>>>> As previously announced, public discussions of root inclusion >>>>>> requests will be taking place on the CCADB public list. Public discussion >>>>>> of a request for inclusion by SERPRO is taking place there now through >>>>>> the >>>>>> end of the year. Here is a link to the relevant thread. >>>>>> >>>>>> https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/VVoTWfmQHgAJ >>>>>> >>>>>> Following public discussion, I will post a summary of the discussion >>>>>> on the CCADB Public list. At that point, public discussion will move to >>>>>> this list (m-d-s-p) for a one-week "last call" period. (See Step 7 in >>>>>> the Application >>>>>> Process <https://wiki.mozilla.org/CA/Application_Process>) >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ben >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "[email protected]" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com >>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> >>>>> >>>>> -- >>>>> Kurt Seifried (He/Him) >>>>> [email protected] >>>>> >>>> >>> >>> -- >>> Kurt Seifried (He/Him) >>> [email protected] >>> >> > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYem7xgUd_ShwubW9VwU30uFhm9igkyOBoFNKT6vOsngA%40mail.gmail.com.
