On 07/03/17 03:14, Ryan Hurst wrote: >> Gerv: Just to be clear: GlobalSign continues to operate at least one subCA >> under a root which Google has purchased, and that root is EV-enabled, >> and the sub-CA continues to do EV issuance (and is audited as such) but >> the root is no longer EV audited, and nor is the rest of the hierarchy? > > Yes, that is correct.
OK. Question for group: would it make sense to add the intermediate(s) that GlobalSign is using for this purpose directly to the Mozilla trust store, with the EV bit enabled, and then remove the EV bit from the roots now owned by Google Trust Services? This would scope EV permissions more closely to the audits, and so prevent Google from accidentally or intentionally issuing EV which was shown as such in Firefox, without having an EV audit. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
