All, Thanks again for your responses in this discussion. After investigation and double-checking again with those of you who have previously raised concern about this request, I have not obtained reasonable suspicion <https://www.merriam-webster.com/legal/reasonable%20suspicion> that One Pass is malware. And I believe that the Beijing CA has been genuinely responsive and to all of our questions.
I will answer some of your other questions below. >> But to clarify, you have the final and sole authority for Mozilla to approve/disapprove root certificate inclusions in Mozilla? >> So to confirm: this all rests on you, and not a group? What happens if you get hit by a bus or take a sabbatical? >> Who is next in line to make these decisions? Is this documented publicly? Ben and I currently choose to have a two-person approach to processing and approving root inclusion requests. Where Ben guides a CA's root inclusion request through our process and either denies the request or states his recommendation that the request be approved. Then I look through the information and either approve or deny the request. Whenever I have difficulty making the final decision, I work with people within Mozilla to either confirm or resolve my concerns before posting my decision. This two-person approach is not a required step in our process, and there have been many periods of time (in the past 15 years <https://www.linkedin.com/in/kathleenawilson/>) during which I was the only Mozilla CA Program Manager and had to do both the inclusion process and the final approval myself. If I decide not to work anymore, then Ben will fulfill both parts of this two-person approach until Mozilla backfills my position or another solution is found. Reference: https://wiki.mozilla.org/Modules/Activities#CA_Certificates https://wiki.mozilla.org/Modules/Activities#Mozilla_CA_Certificate_Policy >> Witness involvement in this mailing list as a good example of how few people are actually involved. I agree that the CA Community is relatively small, but there are actually a lot of people who pay attention to these discussions even though they do not actively participate. As admins for this discussion group Ben and I have visibility into the group's members. Also note that Mozilla's Root Store Policy says: "CA operators MUST follow and be aware of discussions in Mozilla dev-security-policy forum and the CCADB Public List, where root store policies and program updates are announced and public discussions of root inclusion requests occur. They are encouraged, but not required, to contribute to those discussions." Ben and I greatly appreciate all of you who do actively participate in this discussion forum! Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4e1b42ac-edaa-4d9e-83ef-55e9e594af0cn%40mozilla.org.
