Are there existing rules, in the CABForum BRs, or in the Mozilla CA policy, that define under which circumstances the private key of an actively used EV approved root CA may be transferred to a different company, that hasn't been audited for EV compliance?
As soon as the private key has been given to another company, the receiving company technically has the ability to issue EV certificates (even if they never intend to do so), right? I would have naively assumed that a company, that owns an EV approved CA, is expected to strictly protect their EV issuing power, and must never share it with another company that hasn't been approved for issuing EV certificates. If this makes sense, and if there aren't any rules yet, I suggest to add them to the appropriate policy documents. Thanks Kai _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
