Thank you all for your feedback so far. I am sure it will take a couple iterations to get this all correct and usable, so I will continue to appreciate your feedback on this draft page.
https://wiki.mozilla.org/CA/Root_Inclusion_Considerations I have incorporated your feedback as follows. - Changed network surveillance bullet point to: network surveillance that collects information about a person or organization and sends it to another entity in a way that endangers the privacy or device security of the person or organization - Changed the cyber espionage bullet point to: cyber espionage that aims to obtain information from a person or organization without the knowledge or permission of the person or organization for personal, economic, political or military advantage. - Changed the “The CA operator has done any of the following:” bullet and sub-bullet points to: The CA operator appears to have: – Deliberately violated Mozilla's Root Store Policy or other applicable policy; or – Lied, concealed, or failed to disclose the full extent of a problem. - Moved the “Mis-issued a large or unknown number of…” sub-bullet point to: The CA operator has: – Repeated incidents of certificate mis-issuance that the CA operator previously claimed to have resolved; – Failed to identify and remediate the root cause of their incident of certificate mis-issuance; or – Demonstrated insufficient quality or competence in their CA’s operations by frequently mis-issuing certificates, especially when such mis-issuance would be prevented by pre-issuance lint testing. - Added “Mozilla may deny a root inclusion request for reasons or behaviors not listed on this page.” - Changed “The CA’s provided address is a mail drop, rather than an office.” to: The CA’s provided address is a P.O. box, mail drop, or an address shared with numerous other companies/entities. (e.g. shell corporate registry) - Changed “The CA's representatives are evasive…” to: The CA's representatives are not fully transparent on matters such as legal domicile and ownership. - For the “This CA is associated / owned…” bullet points, added: (or the CA’s owning entities are) - Changed CABF bullet point to: “Is not a voting member <https://cabforum.org/information-for-potential-members/>, associate member <https://github.com/cabforum/forum/blob/main/Bylaws.md#31-associate-members>, or interested party <https://github.com/cabforum/forum/blob/main/Bylaws.md#32-interested-parties> participating in the CA/Browser Forum (CABF) Server Certificate Working Group (when applying for the Websites trust bit) or the CABF S/MIME Certificate Working Group (when applying for the Email trust bit).” - Changed “Has gaps between audit periods.” to: Has non-contiguous audit periods - Added Warning Signs: – Fails to provide prompt and detailed responses to Mozilla inquiries about their CA operations, root inclusion requests, policy documents, audit statements, and incidents. - Demonstrates unacceptable behavior in Mozilla's dev-security-policy <https://groups.google.com/a/mozilla.org/g/dev-security-policy> discussion forum, as per Mozilla’s Community Participation Guidelines <https://www.mozilla.org/about/governance/policies/participation/>. - Fails to follow the CCADB Public Code of Conduct <https://docs.google.com/document/d/19ALqEvHtTE6OUTz2FaOXrU9gruIdvia5EDh3hXeGpZA/> when posting in the CCADB Public <https://groups.google.com/a/ccadb.org/g/public> discussion forum. Thanks! Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6100e3b2-ca36-432c-86ef-9b4e76c08934n%40mozilla.org.
