On 09/02/17 14:32, Gijs Kruitbosch wrote: > Would Mozilla's root program consider changing this requirement so that > it *does* require public disclosure, or are there convincing reasons not > to? At first glance, it seems like 'guiding' CAs towards additional > transparency in the CA market/industry/... might be helpful to people > outside Mozilla's root program itself.
This would require CAs and companies to disclose major product plans publicly well in advance of the time they would normally disclose them. I won't dig out the dates myself, or check the emails, but if you look for the following dates from publicly-available information: A) The date Google took control of the GlobalSign roots B) The date Google publicly announced GTS you will see there's quite a big delta. If you assume Google told Mozilla about event A) before it happened, then you can see the problem. Gerv _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy