I agree with Jeremy. Ryan Hurst
On Thu, Feb 9, 2023 at 10:28 AM 'Jeremy Rowley' via [email protected] <[email protected]> wrote: > Which CAs are even publicly traded at this point – Google, Amazon, > Entrust? Plus, do government CAs qualify as having independently and > publicly available audited financial statements? What about services like > Let’s Encrypt? They publish a report on their finances but I think that > report is written by Let’s Encrypt, not independent auditors? I’d venture > most of the CAs in the root program don’t meet both the independent and > publicly available statements. > > > > I don’t like this requirement because it means only small subsidiaries of > very large organizations can be a CA. > > > > > > *From:* [email protected] <[email protected]> *On > Behalf Of *Matthew Hardeman > *Sent:* Thursday, February 9, 2023 11:11 AM > *To:* Kathleen Wilson <[email protected]> > *Cc:* [email protected] > *Subject:* Re: DRAFT: Root Inclusion Considerations > > > > As a rule, you tend to have to be a pretty significant business operation > to have accounts / financial statements that are "independently audited or > examined." > > > > Even many small businesses have their financials and tax accounting > reviewed and prepared by accounting professionals. But that's different > from a formal assertion of "independently audited or examined." > > > > In the US, publicly traded corporations would be. But many private > entities would not. It can add a significant time investment and > significant expenditure to go that extra step and get an assertion from the > accountant that the financials represented in the report do materially > reflect the state of the business. > > > > Without expressing a particular opinion on the matter, I believe that you > should contemplate whether any risk mitigation value of imposing such > burdens outweighs the costs to the CA / prospective CA. > > > > On Thu, Feb 9, 2023 at 11:54 AM Kathleen Wilson <[email protected]> > wrote: > > Would it be reasonable to add the following as a Concerning Behavior? > > > > - The CA does not publish annual accounts or financial statements that > have been independently audited or examined. > > > > This has been suggested to me via email, but I am not versed in this area. > > > > Thanks, > > Kathleen > > > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/54e67648-e742-4995-865d-b5221fe3ef07n%40mozilla.org > <https://url.avanan.click/v2/___https:/groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/54e67648-e742-4995-865d-b5221fe3ef07n%40mozilla.org?utm_medium=email&utm_source=footer___.YXAzOmRpZ2ljZXJ0OmE6bzowMWIxYTQ5ZjkwZGI3MDEzNzBhMGMwMDZlYzVhYWFhNjo2OjRhNDc6OTBiNjEyMDE4NTIyN2MzMmM0YjY2ZTRhNmE5YjNhZDcyN2Y5NDRjNTljMGM0YWVhMGRiZGQ5OWYzZjdmN2M3YTpoOlQ> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59EgVZ5rNUJgei2x14yUfany4kNCpDUu1m61tJWMKgGLtg%40mail.gmail.com > <https://url.avanan.click/v2/___https:/groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59EgVZ5rNUJgei2x14yUfany4kNCpDUu1m61tJWMKgGLtg%40mail.gmail.com?utm_medium=email&utm_source=footer___.YXAzOmRpZ2ljZXJ0OmE6bzowMWIxYTQ5ZjkwZGI3MDEzNzBhMGMwMDZlYzVhYWFhNjo2OjBiMGM6MzFiYmQ2NDA4ZDdmOGNkYjg1ZmJjOGQzNWU3MmUzY2JlNDFkYjdmZTdjYzQ2NzRkODkyOTA5MmRmNDdjOTBiZTpoOlQ> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB26007E1B8E86C2DB615C54388ED99%40BYAPR14MB2600.namprd14.prod.outlook.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB26007E1B8E86C2DB615C54388ED99%40BYAPR14MB2600.namprd14.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwb%2BLNBBourkpe3Du%2BLGNB%3DUKbVryMWjpCxmj8SeMR%2B_FA%40mail.gmail.com.
