Generally I think this is a great step and it's going to be a good thing for WebPKI and the community in/around it.
Some general thoughts: 1. As already suggested by others, I wonder if it would help to better clarify what is meant by network surveillance. I think a strong stance is good but perhaps precision is needed to distinguish between actors engaged in spying and vendors of network monitoring tools as the latter could be argued to be the former. 2. "Mis-issued a large or unknown number of ... certificates". I wonder if stating it's a large number is an unhelpful distinction, large or unknown is definitely bad but repeated small volume mis-issuance may be more concerning than a single incident. It may be covered by other rules elsewhere but on the page under draft I didn't see anything that would describe a CA who was coming to the mailing list every month or so with their latest problem as in that case the number of certificates might be low. 3. This may be more subjective and less precise than the tone you're going for but is there value in having some sort of comment about how CA representatives are to engage with the community via this mailing list? Maybe not Unacceptable or Concerning Behaviour but at the Warning Sign level it could fit. Naming no names, it seems to me as if some of the recently excluded CAs have responded extremely unpleasantly to reasonable questioning/criticism from members of the community so I wonder if a requirement to behave might not be a bad thing. As I say, it's a bit subjective, but as Filippo rightly says this page is trying to right down values expected so if Mozilla policy is going to demand transparency over ownership and operations then adding respectful interaction with the community might not be totally unreasonable. Best Regards, Rob On Tuesday, January 31, 2023 at 8:16:05 PM UTC [email protected] wrote: > All, > > I will greatly appreciate your feedback on the following new wiki page. > > https://wiki.mozilla.org/CA/Root_Inclusion_Considerations > > As you all know, sometimes we have very difficult decisions to make in > regards to new inclusion or continued inclusion of root certificates in > Mozilla's root store. With this new wiki page I am hoping to make such > difficult root inclusion decisions more deterministic. Hopefully it will > help the next time we have a difficult discussion about a CA who is > currently in Mozilla's program. And hopefully it will enable us to decline > root inclusion requests before we even get to the public discussion phase > when the CA has participated in unacceptable behavior or has a multitude of > concerning behaviors. > > Thanks in advance for your thoughtful and constructive consideration. > > Kathleen > > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c51a212a-36e2-4d5c-ba30-fabebee58924n%40mozilla.org.
