Ping, any movement on this? On Mon, Dec 12, 2022 at 11:04 AM Ben Wilson <[email protected]> wrote:
> Kurt, > I'll see if there is anything I can provide that might be helpful. > Ben > > On Mon, Dec 12, 2022 at 10:37 AM Kurt Seifried <[email protected]> wrote: > >> Can you share/link the Mozilla processes for verifying these >> documents/ownership/etc? >> >> On Mon, Dec 12, 2022 at 10:19 AM Ben Wilson <[email protected]> wrote: >> >>> Hi Kurt, >>> >>> I'm moving this to its own subject line. >>> >>> The verification stage (prior to placing an inclusion case in the public >>> discussion queue) looks at whether the CA has provided the information. >>> >>> Some information about equitable ownership is usually provided in the >>> CA's Value Justification document. Additionally, a review of information >>> available online from government sources is used to determine/confirm the >>> official legal name of the entity. However, we could do a better job at >>> determining the equitable ownership and corporate relationships of CAs, if >>> that is what you're getting at. For instance, press releases are sometimes >>> a good source of information about majority shareholders. >>> >>> As you observe, it can get very complicated. >>> >>> Ben >>> >>> On Sat, Dec 10, 2022 at 3:40 PM Kurt Seifried <[email protected]> wrote: >>> >>>> I think the problem is that I look at statements like: >>>> >>>> The person conducting initial information verification uses the CCADB >>>> to check the completeness of information about: >>>> the CA owner, >>>> the CA's auditor, >>>> >>>> These are very non-trivial things to verify and prove, witness >>>> Trustcor's auditor maybe or maybe not being accredited at the time of the >>>> audit. Ownership is nigh impossible to prove, e.g. Corp A owns the CA, but >>>> what if a majority of Corp A's (unlisted) voting shares are held by a set >>>> of companies that are actually interlocking? >>>> >>>> I guess what I'd like to see is "HOW" not just "WHAT", e.g. HOW do I >>>> validate who owns the CA? HOW is the community supposed to accomplish these >>>> things? >>>> >>>> >>>> >>>> On Mon, Dec 5, 2022 at 1:01 PM Ben Wilson <[email protected]> wrote: >>>> >>>>> Hi Kurt, >>>>> With regard to Mozilla's process, here is some helpful information: >>>>> https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion. >>>>> >>>>> Is this the kind of information you were looking for? If so, then >>>>> we'll be copying similar text, with enhancements, over to the CCADB.org >>>>> website (without the Mozilla-specific language), as further guidance. >>>>> Thanks, >>>>> Ben >>>>> >>>>> On Mon, Nov 21, 2022 at 11:43 AM Kurt Seifried <[email protected]> >>>>> wrote: >>>>> >>>>>> Question: Are there any guidelines for bringing up concerns or >>>>>> structuring arguments/evidence both in favor and against a new CA being >>>>>> included? All the web page says: >>>>>> >>>>>> https://wiki.mozilla.org/CA >>>>>> >>>>>> Mozilla's dev-security-policy (MDSP) mailing list is used for >>>>>> discussions of Mozilla policies related to security in general and CAs in >>>>>> particular, and for wider discussions about the WebPKI. Among other >>>>>> things, >>>>>> it is the preferred forum for the public-comment phase of CA evaluation. >>>>>> If >>>>>> you are a regular participant in MDSP, then please add your name to the >>>>>> Policy Participants page. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Nov 21, 2022 at 11:39 AM Ben Wilson <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> All, >>>>>>> >>>>>>> As previously announced, public discussions of root inclusion >>>>>>> requests will be taking place on the CCADB public list. Public >>>>>>> discussion >>>>>>> of a request for inclusion by SERPRO is taking place there now through >>>>>>> the >>>>>>> end of the year. Here is a link to the relevant thread. >>>>>>> >>>>>>> https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/VVoTWfmQHgAJ >>>>>>> >>>>>>> Following public discussion, I will post a summary of the discussion >>>>>>> on the CCADB Public list. At that point, public discussion will move to >>>>>>> this list (m-d-s-p) for a one-week "last call" period. (See Step 7 in >>>>>>> the Application >>>>>>> Process <https://wiki.mozilla.org/CA/Application_Process>) >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Ben >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "[email protected]" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com >>>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Kurt Seifried (He/Him) >>>>>> [email protected] >>>>>> >>>>> >>>> >>>> -- >>>> Kurt Seifried (He/Him) >>>> [email protected] >>>> >>> >> >> -- >> Kurt Seifried (He/Him) >> [email protected] >> > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa39hrfdxq5BmDmDOFbYN6iBPKrDRANuYSpaTz%3DHJbFxaiQ%40mail.gmail.com.
