All, Today I read through the Certainly CP/CPS and reviewed the Compliance Self-Assessment and GoDaddy's review documents. I did not see anything in the CP/CPS that did not conform to the Mozilla Root Store Policy or the CA/B Forum's Baseline Requirements.
I also looked at the GoDaddy-Fastly cross-certificate profiles and did not see anything that concerned me. The public comment period will close next Wednesday, 9-Mar-2022. Please provide any additional comments you may have by then. Yours sincerely, Ben On Tue, Mar 1, 2022 at 11:43 PM 'Brittany Randall' via [email protected] <[email protected]> wrote: > Regarding the GoDaddy CP/CPS review of Certainly, we have attached the > following review artifacts to Bug 1755851 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1755851>: > > - Attachment Compendium.pdf > - CPCPSReviewTracker.xlsx > - CSAReview.zip (contains three files) > - FastlyWebTrustAuditReportReview.zip (contains seven files) > > The first document, “Attachment Compendium.pdf” provides details and > additional context for the remaining three attachments uploaded. Also, for > reference, Certainly has published version 1.3 of the Certainly CP/CPS to > https://certainly.com/repository/ > > Best, > > Brittany Randall > > On Friday, February 25, 2022 at 9:06:08 AM UTC-7 Brittany Randall wrote: > >> We can provide some of our review documentation. I'll shoot to have >> something early next week. I'll plan to add any attachments to the bug, but >> will reply in this discussion to let folks know items are there. >> >> Best, >> >> Brittany >> >> On Tuesday, February 22, 2022 at 2:12:50 AM UTC-7 [email protected] wrote: >> >>> >>> >>> On 21/2/2022 3:28 π.μ., Ryan Sleevi wrote: >>> > This speaks to Dimitris' point, or perhaps misunderstanding, about the >>> > root inclusion process. The suggestion of there being simply a three >>> > week review process overlooks the significant, and transparent, >>> > vetting that occurs on the CCADB Case and Bugzilla issue prior to >>> > acceptance, including, as has been previously mentioned, the detailed >>> > CP/CPS review by someone who regularly performs CP/CPS reviews, and >>> > with a vested interested towards protecting users. The incentives, >>> > process, and outcomes are all radically different with respect to >>> > subordination, and yet the risks are, at best, the same, or as >>> > previously highlighted, even greater than those risks of a root (due >>> > to shared fate). >>> >>> I would like to remind people that before Mozilla adopted the great >>> practice for detailed CP/CPS reviews by its own staff (with the >>> unquestionable incentives, experience that Ryan mentioned), the Mozilla >>> community contributed to these CP/CPS reviews. Members of the community, >>> including people associated with CAs and Browsers, were performing >>> reviews (perhaps not as detailed as the ones performed during the last 2 >>> years) and technical checks (for example CRLs, OCSP and other "publicly >>> visible" technical elements). >>> >>> My point is that we should not outright consider CA reviews as >>> non-trusted. In fact, any review is useful especially if it is publicly >>> disclosed. This is also supported in >>> https://wiki.mozilla.org/CA/Application_Verification#Public_discussion. >>> >>> If GoDaddy has performed such an analysis in Certainly's CP/CPS, I would >>> recommend its disclosure to this request so that members can >>> independently assess. It would also help Ben with his review during the >>> Root inclusion request process. >>> >>> >>> -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d73a51c1-5f68-4626-b4a7-ea3643747a19n%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d73a51c1-5f68-4626-b4a7-ea3643747a19n%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTK4SA2h6f3ej8hGifT-7-EyWVaJd-z0nbwE3s%2BFoUCg%40mail.gmail.com.
