Hi, I touched on my thoughts on this matter a bit before.
This is really about trust. I think several factors must be weighed here: 1. Is "trust" really required of a CA in a soon-to-be post-mandatory-CT-log world? If some level of trust is required, then: 2. Can we say that the QiHoo 360 / WoSign / WoTrus / WoTrust / StartCom family of corporate entities has any left? And furthermore is trust in the corporate entity chain even necessary if... 3. Are individuals filling executive and executive operations positions taking personal responsibility for key generation and management, stand up of the infrastructure, day to day operation of the infrastructure? And if so, can those individuals represent that they're staking their personal reputations on personally managing this infrastructure or in the alternative guaranteeing to affirmatively notify the community that they are stepping down and can no longer be responsible? My take: Businesses are assets. Assets can be closely held or not. In many cases, the not closely held assets are traded around quite often, often with little oversight. I don't think we can make any assertions on trust as to the ownership. I do, however, believe that a company can be operated in such a manner that key executives can be identified and personal representations of those parties can be relied upon in as far as that consequences can be visited upon those individuals by the root programs. I do firmly support the spirit of this thread. I think it would be unethical of the community and of the Mozilla Root Program to dangle the theoretical possibility of inclusion / reinclusion -- encouraging the endeavor such that many external costs are taxed upon the prospect -- if they have knowledge that there are likely to be problems in the final approval in terms of community buy-in. The downside, of course, is that while this alternative pre-discussion allows for discussion of the nebulous concept of "trust" and integrity, it actually denies the community those matters which can be most objectively evaluated -- the CPS, the subscriber agreements, certificate policy, auditor's opinions, etc. (which makes sense -- the development of these is pricey). I suppose, in summation, I believe this conversation only matters if we're really trying to have a discussion about trust and defining trust and importance of trust and whether there is a way that this CA can be trusted. Just my thoughts... Matt Hardeman On Wed, Nov 22, 2017 at 3:05 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We understand that WoTrus (WoSign changed their name some months ago) > are working towards a re-application to join the Mozilla Root Program. > Richard Wang recently asked us to approve a particular auditor as being > suitable to audit their operations. > > In the WoSign Action Items bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 > Kathleen wrote "WoSign may apply for inclusion of new (replacement) root > certificates[1] following Mozilla's normal root inclusion/change > process[2] (minus waiting in the queue for the discussion), after they > have completed all of the following action items, and no earlier than > June 1, 2017." > > However, one step in the inclusion process is the public discussion, and > we have some reason to believe that this may lead to significant > objections being raised. It would not be reasonable to encourage WoSign > to complete all the other steps in the process if there was little or no > chance of them being approved in public discussion. > > So Kathleen and I thought it would be best to have a pre-discussion now, > in order to make sure that expectations are set appropriately. If WoTrus > had completed all the action items in the bug and arrived at the public > discussion part of the application, what would people say? If you raise > an objection, please say if there is any way at all that you think > WoTrus could address your issue. > > Thanks for your input, > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
