On 09/02/17 14:32, Gijs Kruitbosch wrote:
> Would Mozilla's root program consider changing this requirement so that
> it *does* require public disclosure, or are there convincing reasons not
> to? At first glance, it seems like 'guiding' CAs towards additional
> transparency in the CA market/industry/... might be helpful to people
> outside Mozilla's root program itself.

This would require CAs and companies to disclose major product plans
publicly well in advance of the time they would normally disclose them.
I won't dig out the dates myself, or check the emails, but if you look
for the following dates from publicly-available information:

A) The date Google took control of the GlobalSign roots
B) The date Google publicly announced GTS

you will see there's quite a big delta. If you assume Google told
Mozilla about event A) before it happened, then you can see the problem.

dev-security-policy mailing list

Reply via email to