Hi Jeremy, Thanks for posting this. Mozilla had been concerned for some time about the level of BR compliance of the Verizon-controlled PKI and their seeming difficulties in bringing their many sub-CAs into compliance. When DigiCert approached us when researching the potential acquisition, they asked us if we were planning any immediate action against Verizon. We told them we were concerned, but nothing immediate was planned. They told us of their plan to take over ownership of these root hierarchies and clean them up.
When considering what to do in issues relating to the web PKI, we are always balancing the potential disruption to users of stopping an activity with the risk of allowing it to continue. We could have just un-trusted the Verizon-controlled roots, but the disruption from that would have been significant. DigiCert's offer to improve things seemed like a good way forward to us. Therefore, once the purchase completed, we told DigiCert they could have some time to bring these hierarchies into BR compliance. Jeremy's post explains how they have been doing that, and the timeline for completing their plan. As a consequence of this promise, and DigiCert's generally robust response when it happens, Mozilla does not currently intend to follow up the fact that a number of the independently-operated sub-CAs under these roots have issued small numbers of SHA-1 certs. That doesn't mean we will overlook every BR or policy violation, and we expect DigiCert and its partners to operate these roots in full compliance once the transition is finished early next year. This is not to say that people shouldn't give feedback on the DigiCert plan or suggest ways to improve it. Please do. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy