On Thu, Mar 23, 2017 at 8:37 AM, Peter Kurrasch via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I would be interested in knowing why Google felt it necessary to purchase > an existing root instead of, for example, pursuing a "new root" path along > the lines of what Let's Encrypt did? All I could gather from the Google > security blog is that they really want to be a root CA and to do it in a > hurry. Why the need to do it quickly, especially given the risks (attack > surface)? Clarification: I'm not speaking on behalf of Google I think this demonstrates a lack of understanding of what Let's Encrypt did. Let's Encrypt obtained a cross-signed certificate (from IdenTrust), which is "purchasing" a signature for their key. This is one approach. Purchasing a pre-existing signature (and key) is another. They are functionally equivalent. So what Google has done is what is what Let's Encrypt did. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy