Entrust is, to my knowledge, privately owned. I believe that Amazon Trust Services LLC, Certainly LLC, Google Trust Services LLC, and Starfield Technologies LLC are all privately held companies that are owned by publicly traded companies. I'd be surprised if any of these CA operators (as defined in their WebTrust audit reports) has financial reporting equivalent to a company that has securities registered with the US SEC.
On Thu, Feb 9, 2023 at 10:28 AM 'Jeremy Rowley' via [email protected] <[email protected]> wrote: > > Which CAs are even publicly traded at this point – Google, Amazon, Entrust? > Plus, do government CAs qualify as having independently and publicly > available audited financial statements? What about services like Let’s > Encrypt? They publish a report on their finances but I think that report is > written by Let’s Encrypt, not independent auditors? I’d venture most of the > CAs in the root program don’t meet both the independent and publicly > available statements. > > > > I don’t like this requirement because it means only small subsidiaries of > very large organizations can be a CA. > > > > > > From: [email protected] <[email protected]> On > Behalf Of Matthew Hardeman > Sent: Thursday, February 9, 2023 11:11 AM > To: Kathleen Wilson <[email protected]> > Cc: [email protected] > Subject: Re: DRAFT: Root Inclusion Considerations > > > > As a rule, you tend to have to be a pretty significant business operation to > have accounts / financial statements that are "independently audited or > examined." > > Even many small businesses have their financials and tax accounting reviewed > and prepared by accounting professionals. But that's different from a formal > assertion of "independently audited or examined." > > In the US, publicly traded corporations would be. But many private entities > would not. It can add a significant time investment and significant > expenditure to go that extra step and get an assertion from the accountant > that the financials represented in the report do materially reflect the state > of the business. > > Without expressing a particular opinion on the matter, I believe that you > should contemplate whether any risk mitigation value of imposing such burdens > outweighs the costs to the CA / prospective CA. > > > > On Thu, Feb 9, 2023 at 11:54 AM Kathleen Wilson <[email protected]> wrote: > > Would it be reasonable to add the following as a Concerning Behavior? > > > > - The CA does not publish annual accounts or financial statements that have > been independently audited or examined. > > > > This has been suggested to me via email, but I am not versed in this area. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAK6vND-M8w9H1-e0Lefde7DdmEc8hZucUeNV7cxZyNvtyOpTBg%40mail.gmail.com.
