Is BJCA.cn still on this list? if we've only got 3 weeks (21 days) and they take 2+ days to answer we're going to run out of time pretty quickly.
On Mon, Jan 23, 2023 at 6:11 PM Kurt Seifried <[email protected]> wrote: > This seems to mostly depend upon BJCA.cn disclosing information to us. > Information we have asked for in the past but been told is "confidential" > and so on. > > So with this in mind: BJCA.cn: can you please explain how your company is > structured to prevent subversion of the root certificate authority? E.g. > technical measures can be circumvented trivially if the people running them > are told to do so (and if they don't they can be replaced with people that > will). > > On Mon, Jan 23, 2023 at 4:57 PM Ben Wilson <[email protected]> wrote: > >> All, >> >> We recently concluded a six-week public discussion on the CCADB Public >> list for the root inclusion request of Beijing CA (BJCA), >> https://groups.google.com/a/ccadb.org/g/public/c/o9lbCbr92Ug/m/lPkqrHF1DQAJ. >> This >> email is to announce a continued 3-week discussion of BJCA’s inclusion >> application to be held on this list. The reason for this continued >> discussion is that we need to gather more information to better understand >> BJCA’s operational and management controls and the One Pass software (among >> any other issues that might be raised during this continued discussion). >> >> The current state of our understanding is summarized in the post >> referenced in the link above. That is, BJCA operates two different >> infrastructures, one that meets the needs of its national government and >> another that aims to meet the needs of the global public. Also, according >> to BJCA, the One Pass software was mislabelled as spyware. >> >> There hasn’t been enough evidence yet to make conclusions about these two >> questions–how is management and operation of the two infrastructures >> separated, given that they both are part of the same company, and did the >> Beijing One Pass software have any components that would be considered >> spyware? I would expect that BJCA might want to respond initially to these >> questions, even if they believe that they have answered them adequately in >> the past. >> >> We need fact-based discourse that answers these questions. >> >> In addition to these questions, does anyone have examples of other >> conduct by BJCA or insights into its practices? Can anyone provide more >> information about BJCA’s information security practices, compliance with >> international standards, or performance under other metrics that will help >> determine its future conduct, were it to become a publicly trusted CA? >> >> I’d like to continue this discussion through Monday, February 13, 2023. >> As with the public discussion held on CCADB Public, please reply directly >> in this discussion thread with thoughtful and constructive comments, and a >> representative of BJCA must respond here to all questions or issues that >> are raised. >> >> Thanks, >> >> Ben >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Kurt Seifried (He/Him) > [email protected] > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38NsfmPnJBwTiDYhM6cFvtBo%2Bvn%2BuWuU1L8AzBcQtgcbg%40mail.gmail.com.
