Dear Kathleen, I think your suggestions absolutely go in the right direction.
I would only comment on the “network monitoring” as my understanding is that things like collecting information in the sense of Threat Intelligence / OSINT should be allowed (we want to know what’s being said about us on the web – dark and light alike) and things like intercepting / manipulating traffic should be not allowed (unless it goes into the “lawfull interception” category, which would be a bit strange for a CA to be involved in… but alas. 😉). I’m not English native speaking so I don’t dare to suggest concrete wording but hope this helps to clarify the thought behind this requirement a bit. Thanks Roman From: 'Kurt Seifried' via [email protected] <[email protected]> Sent: Mittwoch, 8. Februar 2023 03:03 To: Kathleen Wilson <[email protected]> Cc: [email protected] Subject: Re: DRAFT: Root Inclusion Considerations On Tue, Feb 7, 2023 at 6:10 PM Kathleen Wilson <[email protected]<mailto:[email protected]>> wrote: Thank you all for your feedback so far. I am sure it will take a couple iterations to get this all correct and usable, so I will continue to appreciate your feedback on this draft page. https://wiki.mozilla.org/CA/Root_Inclusion_Considerations<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FCA%2FRoot_Inclusion_Considerations&data=05%7C01%7Croman.fischer%40swisssign.com%7C03d241e1d0bb440a196308db0978afb9%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638114186174358539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8PWg0MkNr5yudPgLlnyLvEtdJznonyFa8Voy1AY%2FxEo%3D&reserved=0> I have incorporated your feedback as follows. - Changed network surveillance bullet point to: network surveillance that collects information about a person or organization and sends it to another entity in a way that endangers the privacy or device security of the person or organization I think network surveillance might need a bit of definition here, e.g. are we talking just packet sniffing/dns/bgp/etc redirection? Or for example, as a root CA I could potentially also issue client authentication certificates and use them to log into a site (e.g. with auth locked to a specific domain unless you pin to a specific cert/key...). - Changed the cyber espionage bullet point to: cyber espionage that aims to obtain information from a person or organization without the knowledge or permission of the person or organization for personal, economic, political or military advantage. This definitely covers things like Atos monitoring the darkweb and being paid to do so (see CCADB public forum discussion about this). - Changed the “The CA operator has done any of the following:” bullet and sub-bullet points to: The CA operator appears to have: – Deliberately violated Mozilla's Root Store Policy or other applicable policy; or Which version? Current versions? Past versions? E.g. if a CA did something that wasn't previously banned, and is then later banned what exactly happens? – Lied, concealed, or failed to disclose the full extent of a problem. One thought: post-mortems sometimes take time, I worry that this might incentivize companies not to look as deeply, and hope that they can get away with it, especially since external investigations into this are almost impossible without full cooperation of the organization being investigated (witness Trustcor). - Changed “Has gaps between audit periods.” to: Has non-contiguous audit periods This might unintentionally punish an organization that shortens its audit cycle (which is probably a good thing). - Added Warning Signs: – Fails to provide prompt and detailed responses to Mozilla inquiries about their CA operations, root inclusion requests, policy documents, audit statements, and incidents. Can we add something to ensure this is done publicly and transparently? E.g. Is Mozilla asking these things in public, in private, in both? I assume these are all public asks, but it's not stated clearly as such (or I could be wrong and you're asking for tons of things in private?). - Demonstrates unacceptable behavior in Mozilla's dev-security-policy<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fg%2Fdev-security-policy&data=05%7C01%7Croman.fischer%40swisssign.com%7C03d241e1d0bb440a196308db0978afb9%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638114186174358539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9ZEHkWfSmRNA21Qf%2BdBEDGYmzljKBPy79i%2BmH8EeWhQ%3D&reserved=0> discussion forum, as per Mozilla’s Community Participation Guidelines<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fabout%2Fgovernance%2Fpolicies%2Fparticipation%2F&data=05%7C01%7Croman.fischer%40swisssign.com%7C03d241e1d0bb440a196308db0978afb9%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638114186174358539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N0eWiZG7fFpxThaRPPj3WT%2BwiTe2ZlhDb1vB6DfbsC0%3D&reserved=0>. - Fails to follow the CCADB Public Code of Conduct<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F19ALqEvHtTE6OUTz2FaOXrU9gruIdvia5EDh3hXeGpZA%2F&data=05%7C01%7Croman.fischer%40swisssign.com%7C03d241e1d0bb440a196308db0978afb9%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638114186174358539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NYk%2F0dwWvW5gbb2uCQQ0J8mCOKwg3shsJo794V9lBRI%3D&reserved=0> when posting in the CCADB Public<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fccadb.org%2Fg%2Fpublic&data=05%7C01%7Croman.fischer%40swisssign.com%7C03d241e1d0bb440a196308db0978afb9%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638114186174358539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zmvz%2FsZHKo6VX8m%2F0WOZQDBcATzmPfermCrf8xTl%2F0M%3D&reserved=0> discussion forum. Thanks! Kathleen -- Kurt Seifried (He/Him) [email protected]<mailto:[email protected]> -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-5ot2bc1L_mtigtLnN4h2Xt2p6EV6Hey_qABgAhd8t%3DA%40mail.gmail.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCABqVa3-5ot2bc1L_mtigtLnN4h2Xt2p6EV6Hey_qABgAhd8t%253DA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Croman.fischer%40swisssign.com%7C03d241e1d0bb440a196308db0978afb9%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638114186174514259%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FhQzUtkymu3dXp90%2BG8LcnZZjM2Xz84uGfQH1g%2Fdqjo%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB056258671AB686CF95F034BCFAD89%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM.
