On Wed, Nov 30, 2022 at 12:22 PM Dimitris Zacharopoulos <[email protected]> wrote:
> > FWIW, I worked several times with Trustcor's representatives within the > Server Certificate WG of the CA/Browser Forum, and more closely at the > Network Security Subcommittee (now a separate Working Group). One > particular Trustcor representative was very actively working with the rest > of the subcommittee on improving the network security requirements and > raise the bar for all CAs, providing good guidance, strong requirements, > all based on good security principles that they had already implemented > internally. It is very hard for me to believe that a CA that applies good > security principles/practices in one area (TLS Certificates) would not > follow the same good security principles/practices in another (S/MIME). > > Also, judging from the 4 closed security incidents handled by Trustcor > until now (https://wiki.mozilla.org/CA/Closed_Incidents), this CA seems > to have been responsive and handled security incidents meeting the > expectations of this community. > > I'm merely an interested relying party of the WebPKI ecosystem. While there has been much brought to light that potentially paints some of those who are or were involved with Trustcor in a negative light, Dimitris' comments are interesting in providing further context to the organization's participation in the ecosystem. Something that yet again concerns me in this discussion is an issue that I touched on previously in the discussions related to Dark Matter: that unless the program is requiring transparency as to corporate governance and management/operations authority, and establishing a basis for trust and accountability at the level of those individuals empowered by participation in the program, I believe we will continue to see these subjective trust decisions again and again. Ref: https://groups.google.com/g/mozilla.dev.security.policy/c/nnLVNfqgz7g/m/CY95HQA3AQAJ As Kathleen acknowledged (at https://groups.google.com/g/mozilla.dev.security.policy/c/nnLVNfqgz7g/m/LPCGngLxBwAJ), the decision in the Dark Matter inclusion discussion did represent a shift in decisioning in a program, with a view to a more subjective take on CA inclusion. I once again humbly submit that I believe the executive and operational management teams of the CAs in the programs should be required to submit to the root program personal attestations as to their position and authority along with a commitment to inform the program promptly if anything has altered or replaced their authority. I believe there should be an explicit understanding that failures by such person(s) would be held against such person(s) individually and would bar their involvement at other trusted CAs for an indefinite period. I yet again advocate for a measurable standard for holding CAs accountable at the executive management / operations level with costs taxed upon those persons who have made commitments to the program and failed to honor them. It seems likely to me that one or more presently included CA could be reasonably described as owned by Blackrock or Vanguard. Much of the world is, with those institutions' funds exercising control on behalf of the retiree funds they've been entrusted with. Those entities also own/control some less savory things. Yet we don't hold those common ownership concerns against program participants. And yet, I think we'd all want to know if the former manager of WoTrust were now an admin at any trusted CA? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59HhBOim6cTy3spKahPdapb7rUm4Ao_g2Poha%3DqG02KS4Q%40mail.gmail.com.
