This seems to mostly depend upon BJCA.cn disclosing information to us. Information we have asked for in the past but been told is "confidential" and so on.
So with this in mind: BJCA.cn: can you please explain how your company is structured to prevent subversion of the root certificate authority? E.g. technical measures can be circumvented trivially if the people running them are told to do so (and if they don't they can be replaced with people that will). On Mon, Jan 23, 2023 at 4:57 PM Ben Wilson <[email protected]> wrote: > All, > > We recently concluded a six-week public discussion on the CCADB Public > list for the root inclusion request of Beijing CA (BJCA), > https://groups.google.com/a/ccadb.org/g/public/c/o9lbCbr92Ug/m/lPkqrHF1DQAJ. > This > email is to announce a continued 3-week discussion of BJCA’s inclusion > application to be held on this list. The reason for this continued > discussion is that we need to gather more information to better understand > BJCA’s operational and management controls and the One Pass software (among > any other issues that might be raised during this continued discussion). > > The current state of our understanding is summarized in the post > referenced in the link above. That is, BJCA operates two different > infrastructures, one that meets the needs of its national government and > another that aims to meet the needs of the global public. Also, according > to BJCA, the One Pass software was mislabelled as spyware. > > There hasn’t been enough evidence yet to make conclusions about these two > questions–how is management and operation of the two infrastructures > separated, given that they both are part of the same company, and did the > Beijing One Pass software have any components that would be considered > spyware? I would expect that BJCA might want to respond initially to these > questions, even if they believe that they have answered them adequately in > the past. > > We need fact-based discourse that answers these questions. > > In addition to these questions, does anyone have examples of other conduct > by BJCA or insights into its practices? Can anyone provide more information > about BJCA’s information security practices, compliance with international > standards, or performance under other metrics that will help determine its > future conduct, were it to become a publicly trusted CA? > > I’d like to continue this discussion through Monday, February 13, 2023. As > with the public discussion held on CCADB Public, please reply directly in > this discussion thread with thoughtful and constructive comments, and a > representative of BJCA must respond here to all questions or issues that > are raised. > > Thanks, > > Ben > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38-ccW57dj%3DNLyZpoO1ccOUKKAS%3DpVtXPcZxx_N6RY4fQ%40mail.gmail.com.
