I think Mozilla should have a very clear policy for: (1) If a company that not a public trusted CA acquired a trusted root key, what the company must do? (2) If a company is a public trusted CA that acquired a trusted root key, what the company must do? (3) If a company is a public trusted CA, but distrusted by Mozilla, this company acquired a trusted root key, what the company must do?
Thanks. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Peter Bowen via dev-security-policy Sent: Friday, February 10, 2017 1:10 PM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots) On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via dev-security-policy <firstname.lastname@example.org> wrote: > On 09/02/17 14:32, Gijs Kruitbosch wrote: >> Would Mozilla's root program consider changing this requirement so >> that it *does* require public disclosure, or are there convincing >> reasons not to? At first glance, it seems like 'guiding' CAs towards >> additional transparency in the CA market/industry/... might be >> helpful to people outside Mozilla's root program itself. > > This would require CAs and companies to disclose major product plans > publicly well in advance of the time they would normally disclose them. > I won't dig out the dates myself, or check the emails, but if you look > for the following dates from publicly-available information: > > A) The date Google took control of the GlobalSign roots > B) The date Google publicly announced GTS > > you will see there's quite a big delta. If you assume Google told > Mozilla about event A) before it happened, then you can see the problem. Google says they took control on 11 August 2016. On 19 October 2016, Google publicly stated "Update on the Google PKI: new roots were generated and web trust audits were performed, the report on this is forthcoming," (https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Google) Google didn't file with Mozilla until 22 December 2016, and I suspect that was only because I happened to run across their staged website: https://twitter.com/pzb/status/812103974220222465 I appreciate the business realities of pre-disclosure, but that is not the case here. There is no excuse for having taken control of existing roots and not disclosing such once they disclosed that they are intending to become a root CA. Thanks, Peter _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy