Thank you for compiling this Kathleen. I do think it will help in assessing future inclusion requests, but of course it won't cover every possible situation. It is implied in the MRSP, but might be worth making explicit here that inclusion requests may be denied for reasons/behaviors not [yet] listed on this wiki page. Additional comments:
- The bullet on a large volume of mis-issuance makes sense from the perspective of not including a root that has misissued a bunch of certs (instead make the CA submit a new "clean" root) - However, in line with a previous comment, I have more concern with repeated mis-issuance than the number of misissued certs. This might be more broadly stated as repeated incidents. - The CA's response to mis-issuance/incidents is important. Did the CA self-report or wait for the community to raise the issue? Did they revoke promptly? Identify and remediate the root cause? - I'd also suggest adding something about not providing prompt and detailed responses to Mozilla inquiries as a concerning behavior or warning sign. - The bullet on CAB Forum membership is slightly problematic because CAB Forum membership requires the CAs roots to be recognized in at least one browser, and Mozilla is often the first. Adding "or interested party" or changing "member" to "participant" would solve this. Thanks, Wayne On Tue, Jan 31, 2023 at 3:16 PM Kathleen Wilson <[email protected]> wrote: > All, > > I will greatly appreciate your feedback on the following new wiki page. > > https://wiki.mozilla.org/CA/Root_Inclusion_Considerations > > As you all know, sometimes we have very difficult decisions to make in > regards to new inclusion or continued inclusion of root certificates in > Mozilla's root store. With this new wiki page I am hoping to make such > difficult root inclusion decisions more deterministic. Hopefully it will > help the next time we have a difficult discussion about a CA who is > currently in Mozilla's program. And hopefully it will enable us to decline > root inclusion requests before we even get to the public discussion phase > when the CA has participated in unacceptable behavior or has a multitude of > concerning behaviors. > > Thanks in advance for your thoughtful and constructive consideration. > > Kathleen > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b0e3c58a-26b1-430c-9aeb-7763bdda6345n%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b0e3c58a-26b1-430c-9aeb-7763bdda6345n%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPh8bk_pAj1ZMhcGvgLBbQYCSfYEESbsJXzw%3DiJAsLUiNYwh5Q%40mail.gmail.com.
