Which CAs are even publicly traded at this point – Google, Amazon, Entrust? Plus, do government CAs qualify as having independently and publicly available audited financial statements? What about services like Let’s Encrypt? They publish a report on their finances but I think that report is written by Let’s Encrypt, not independent auditors? I’d venture most of the CAs in the root program don’t meet both the independent and publicly available statements.
I don’t like this requirement because it means only small subsidiaries of very large organizations can be a CA. From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> On Behalf Of Matthew Hardeman Sent: Thursday, February 9, 2023 11:11 AM To: Kathleen Wilson <kwil...@mozilla.com> Cc: dev-security-policy@mozilla.org Subject: Re: DRAFT: Root Inclusion Considerations As a rule, you tend to have to be a pretty significant business operation to have accounts / financial statements that are "independently audited or examined." Even many small businesses have their financials and tax accounting reviewed and prepared by accounting professionals. But that's different from a formal assertion of "independently audited or examined." In the US, publicly traded corporations would be. But many private entities would not. It can add a significant time investment and significant expenditure to go that extra step and get an assertion from the accountant that the financials represented in the report do materially reflect the state of the business. Without expressing a particular opinion on the matter, I believe that you should contemplate whether any risk mitigation value of imposing such burdens outweighs the costs to the CA / prospective CA. On Thu, Feb 9, 2023 at 11:54 AM Kathleen Wilson <kwil...@mozilla.com <mailto:kwil...@mozilla.com> > wrote: Would it be reasonable to add the following as a Concerning Behavior? - The CA does not publish annual accounts or financial statements that have been independently audited or examined. This has been suggested to me via email, but I am not versed in this area. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> " group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org <mailto:dev-security-policy+unsubscr...@mozilla.org> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/54e67648-e742-4995-865d-b5221fe3ef07n%40mozilla.org <https://url.avanan.click/v2/___https:/groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/54e67648-e742-4995-865d-b5221fe3ef07n%40mozilla.org?utm_medium=email&utm_source=footer___.YXAzOmRpZ2ljZXJ0OmE6bzowMWIxYTQ5ZjkwZGI3MDEzNzBhMGMwMDZlYzVhYWFhNjo2OjRhNDc6OTBiNjEyMDE4NTIyN2MzMmM0YjY2ZTRhNmE5YjNhZDcyN2Y5NDRjNTljMGM0YWVhMGRiZGQ5OWYzZjdmN2M3YTpoOlQ> . -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> " group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org <mailto:dev-security-policy+unsubscr...@mozilla.org> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59EgVZ5rNUJgei2x14yUfany4kNCpDUu1m61tJWMKgGLtg%40mail.gmail.com <https://url.avanan.click/v2/___https:/groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59EgVZ5rNUJgei2x14yUfany4kNCpDUu1m61tJWMKgGLtg%40mail.gmail.com?utm_medium=email&utm_source=footer___.YXAzOmRpZ2ljZXJ0OmE6bzowMWIxYTQ5ZjkwZGI3MDEzNzBhMGMwMDZlYzVhYWFhNjo2OjBiMGM6MzFiYmQ2NDA4ZDdmOGNkYjg1ZmJjOGQzNWU3MmUzY2JlNDFkYjdmZTdjYzQ2NzRkODkyOTA5MmRmNDdjOTBiZTpoOlQ> . -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB26007E1B8E86C2DB615C54388ED99%40BYAPR14MB2600.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature