Currently, I am very busy working on the CCADB updates. Maybe I can provide something in January. Thanks for your patience. Ben
On Thu, Dec 22, 2022 at 10:46 AM Kurt Seifried <[email protected]> wrote: > Ping, any movement on this? > > On Mon, Dec 12, 2022 at 11:04 AM Ben Wilson <[email protected]> wrote: > >> Kurt, >> I'll see if there is anything I can provide that might be helpful. >> Ben >> >> On Mon, Dec 12, 2022 at 10:37 AM Kurt Seifried <[email protected]> wrote: >> >>> Can you share/link the Mozilla processes for verifying these >>> documents/ownership/etc? >>> >>> On Mon, Dec 12, 2022 at 10:19 AM Ben Wilson <[email protected]> wrote: >>> >>>> Hi Kurt, >>>> >>>> I'm moving this to its own subject line. >>>> >>>> The verification stage (prior to placing an inclusion case in the >>>> public discussion queue) looks at whether the CA has provided the >>>> information. >>>> >>>> Some information about equitable ownership is usually provided in the >>>> CA's Value Justification document. Additionally, a review of information >>>> available online from government sources is used to determine/confirm the >>>> official legal name of the entity. However, we could do a better job at >>>> determining the equitable ownership and corporate relationships of CAs, if >>>> that is what you're getting at. For instance, press releases are sometimes >>>> a good source of information about majority shareholders. >>>> >>>> As you observe, it can get very complicated. >>>> >>>> Ben >>>> >>>> On Sat, Dec 10, 2022 at 3:40 PM Kurt Seifried <[email protected]> >>>> wrote: >>>> >>>>> I think the problem is that I look at statements like: >>>>> >>>>> The person conducting initial information verification uses the CCADB >>>>> to check the completeness of information about: >>>>> the CA owner, >>>>> the CA's auditor, >>>>> >>>>> These are very non-trivial things to verify and prove, witness >>>>> Trustcor's auditor maybe or maybe not being accredited at the time of the >>>>> audit. Ownership is nigh impossible to prove, e.g. Corp A owns the CA, but >>>>> what if a majority of Corp A's (unlisted) voting shares are held by a set >>>>> of companies that are actually interlocking? >>>>> >>>>> I guess what I'd like to see is "HOW" not just "WHAT", e.g. HOW do I >>>>> validate who owns the CA? HOW is the community supposed to accomplish >>>>> these >>>>> things? >>>>> >>>>> >>>>> >>>>> On Mon, Dec 5, 2022 at 1:01 PM Ben Wilson <[email protected]> wrote: >>>>> >>>>>> Hi Kurt, >>>>>> With regard to Mozilla's process, here is some helpful information: >>>>>> https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion. >>>>>> >>>>>> Is this the kind of information you were looking for? If so, then >>>>>> we'll be copying similar text, with enhancements, over to the CCADB.org >>>>>> website (without the Mozilla-specific language), as further guidance. >>>>>> Thanks, >>>>>> Ben >>>>>> >>>>>> On Mon, Nov 21, 2022 at 11:43 AM Kurt Seifried <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Question: Are there any guidelines for bringing up concerns or >>>>>>> structuring arguments/evidence both in favor and against a new CA being >>>>>>> included? All the web page says: >>>>>>> >>>>>>> https://wiki.mozilla.org/CA >>>>>>> >>>>>>> Mozilla's dev-security-policy (MDSP) mailing list is used for >>>>>>> discussions of Mozilla policies related to security in general and CAs >>>>>>> in >>>>>>> particular, and for wider discussions about the WebPKI. Among other >>>>>>> things, >>>>>>> it is the preferred forum for the public-comment phase of CA >>>>>>> evaluation. If >>>>>>> you are a regular participant in MDSP, then please add your name to the >>>>>>> Policy Participants page. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Nov 21, 2022 at 11:39 AM Ben Wilson <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> All, >>>>>>>> >>>>>>>> As previously announced, public discussions of root inclusion >>>>>>>> requests will be taking place on the CCADB public list. Public >>>>>>>> discussion >>>>>>>> of a request for inclusion by SERPRO is taking place there now through >>>>>>>> the >>>>>>>> end of the year. Here is a link to the relevant thread. >>>>>>>> >>>>>>>> https://groups.google.com/a/ccadb.org/g/public/c/Mux855BsRg4/m/VVoTWfmQHgAJ >>>>>>>> >>>>>>>> Following public discussion, I will post a summary of the >>>>>>>> discussion on the CCADB Public list. At that point, public discussion >>>>>>>> will >>>>>>>> move to this list (m-d-s-p) for a one-week "last call" period. (See >>>>>>>> Step 7 >>>>>>>> in the Application Process >>>>>>>> <https://wiki.mozilla.org/CA/Application_Process>) >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Ben >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "[email protected]" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZSDBhOfWPb5UmrgF0bwCNC3eSD-fCY7Rqt04sEEBmLSw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Kurt Seifried (He/Him) >>>>>>> [email protected] >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> Kurt Seifried (He/Him) >>>>> [email protected] >>>>> >>>> >>> >>> -- >>> Kurt Seifried (He/Him) >>> [email protected] >>> >> > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaasBP8WRR9nT4cm_Ki%2BSNUuu%2BfVSN_j6xA20L5yrLO5kg%40mail.gmail.com.
