Hi Jeremy,

Thanks for posting this. Mozilla had been concerned for some time about
the level of BR compliance of the Verizon-controlled PKI and their
seeming difficulties in bringing their many sub-CAs into compliance.
When DigiCert approached us when researching the potential acquisition,
they asked us if we were planning any immediate action against Verizon.
We told them we were concerned, but nothing immediate was planned. They
told us of their plan to take over ownership of these root hierarchies
and clean them up.

When considering what to do in issues relating to the web PKI, we are
always balancing the potential disruption to users of stopping an
activity with the risk of allowing it to continue. We could have just
un-trusted the Verizon-controlled roots, but the disruption from that
would have been significant. DigiCert's offer to improve things seemed
like a good way forward to us.

Therefore, once the purchase completed, we told DigiCert they could have
some time to bring these hierarchies into BR compliance. Jeremy's post
explains how they have been doing that, and the timeline for completing
their plan.

As a consequence of this promise, and DigiCert's generally robust
response when it happens, Mozilla does not currently intend to follow up
the fact that a number of the independently-operated sub-CAs under these
roots have issued small numbers of SHA-1 certs. That doesn't mean we
will overlook every BR or policy violation, and we expect DigiCert and
its partners to operate these roots in full compliance once the
transition is finished early next year.

This is not to say that people shouldn't give feedback on the DigiCert
plan or suggest ways to improve it. Please do.

dev-security-policy mailing list

Reply via email to