On 09/02/17 05:31, Peter Bowen wrote:
> Third, the Google CPS says Google took control of these roots on
> August 11, 2016.  The Mozilla CA policy explicitly says that a bug
> report must be filed to request to be included in the Mozilla CA
> program. 

But the Mozilla CA policy does not require that the organization on the
receiving end of a root transfer must re-apply for inclusion for
already-included certificates.

> It was not until December 22, 2016 that Google requested
> inclusion as a CA in Mozilla's CA program
> (https://bugzilla.mozilla.org/show_bug.cgi?id=1325532).  This does not
> appear to align with Mozilla requirements for public disclosure.

We require disclosure of root ownership transfer, but not _public_
disclosure. Kathleen would need to speak regarding dates, but I know
Mozilla was made aware of these transfers significantly before the
inclusion request was filed.

Apart from this, however, it seems at first glance that the other
assertions made in Peter's post here in mozilla.dev.security.policy are
correct. So CCing Ryan Hurst of GTS for a response.

Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to