On 09/02/17 05:31, Peter Bowen wrote: > Third, the Google CPS says Google took control of these roots on > August 11, 2016. The Mozilla CA policy explicitly says that a bug > report must be filed to request to be included in the Mozilla CA > program.
But the Mozilla CA policy does not require that the organization on the receiving end of a root transfer must re-apply for inclusion for already-included certificates. > It was not until December 22, 2016 that Google requested > inclusion as a CA in Mozilla's CA program > (https://bugzilla.mozilla.org/show_bug.cgi?id=1325532). This does not > appear to align with Mozilla requirements for public disclosure. We require disclosure of root ownership transfer, but not _public_ disclosure. Kathleen would need to speak regarding dates, but I know Mozilla was made aware of these transfers significantly before the inclusion request was filed. Apart from this, however, it seems at first glance that the other assertions made in Peter's post here in mozilla.dev.security.policy are correct. So CCing Ryan Hurst of GTS for a response. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy