On Tue, Mar 14, 2023 at 5:11 PM Kathleen Wilson <[email protected]> wrote:
> All, > > Thanks again for your responses in this discussion. After investigation > and double-checking again with those of you who have previously raised > concern about this request, I have not obtained reasonable suspicion > <https://www.merriam-webster.com/legal/reasonable%20suspicion> that One > Pass is malware. And I believe that the Beijing CA has been genuinely > responsive and to all of our questions. > > I will answer some of your other questions below. > > >> But to clarify, you have the final and sole authority for Mozilla to > approve/disapprove root certificate inclusions in Mozilla? > >> So to confirm: this all rests on you, and not a group? What happens if > you get hit by a bus or take a sabbatical? > >> Who is next in line to make these decisions? Is this documented > publicly? > > Ben and I currently choose to have a two-person approach to processing and > approving root inclusion requests. Where Ben guides a CA's root inclusion > request through our process and either denies the request or states his > recommendation that the request be approved. Then I look through the > information and either approve or deny the request. Whenever I have > difficulty making the final decision, I work with people within Mozilla to > either confirm or resolve my concerns before posting my decision. > > This two-person approach is not a required step in our process, and there > have been many periods of time (in the past 15 years > <https://www.linkedin.com/in/kathleenawilson/>) during which I was the > only Mozilla CA Program Manager and had to do both the inclusion process > and the final approval myself. If I decide not to work anymore, then Ben > will fulfill both parts of this two-person approach until Mozilla backfills > my position or another solution is found. > > Reference: > https://wiki.mozilla.org/Modules/Activities#CA_Certificates > https://wiki.mozilla.org/Modules/Activities#Mozilla_CA_Certificate_Policy > So to be clear there are two people (yourself and Ben) responsible for: "Definition and enforcement of policies governing Certification Authorities, their root certificates included in Mozilla software products, and intermediate and end-entity certificates within those CA hierarchies." and there are no alternates/backups/etc? Dare I ask, what happens if one or both of you stop working at Mozilla, or eat a bad tuna sandwich or whatever knocks you out of commission? > > >> Witness involvement in this mailing list as a good example of how few > people are actually involved. > > I agree that the CA Community is relatively small, but there are actually > a lot of people who pay attention to these discussions even though they do > not actively participate. As admins for this discussion group Ben and I > have visibility into the group's members. > > Also note that Mozilla's Root Store Policy says: "CA operators MUST follow > and be aware of discussions in Mozilla dev-security-policy forum and the > CCADB Public List, where root store policies and program updates are > announced and public discussions of root inclusion requests occur. They are > encouraged, but not required, to contribute to those discussions." > > Ben and I greatly appreciate all of you who do actively participate in > this discussion forum! > > Thanks, > Kathleen > > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4e1b42ac-edaa-4d9e-83ef-55e9e594af0cn%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4e1b42ac-edaa-4d9e-83ef-55e9e594af0cn%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3_XLBMcOOeqQW58Yzd0JpX6iMTMACJnP7SUDqp-VR-dOA%40mail.gmail.com.
