By "not new", are you referring to Google being the second(?) instance where a company has purchased an individual root cert from another company? It's fair enough to say that Google isn't the first but I'm not aware of any commentary or airing of opposing viewpoints as to the suitability of this practice going forward.
Has Mozilla received any notification that other companies intend to acquire individual roots from another CA? I wouldn't ask Mozilla to violate any non-disclosures but surely it's possible to let the community know if we should expect more of this? Ryan H. implied as much in a previous post but I wasn't sure where he was coming from on that. Also, does Mozilla have any policies (requirements?) regarding individual root acquisition? For example, how frequently should roots be allowed to change hands? What would Mozilla's response be if WoSign were to say that because of the tarnishing of their own brand they are acquiring the HARICA root? What if Vladimir Putin were to make such a purchase? Any requirements on companies notifying the public when the acquisition takes place? Perhaps this is putting too much of a burden on Mozilla as a somewhat protector of the global PKI but I'm not sure who else is in a better position for that role? Original Message From: Gervase Markham via dev-security-policy Sent: Thursday, March 30, 2017 1:06 AM To: mozilla-dev-security-pol...@lists.mozilla.org Reply To: Gervase Markham Subject: Re: Criticism of Google Re: Google Trust Services roots On 29/03/17 20:46, Peter Kurrasch wrote: > It's not inconsequential for Google to say: "From now on, nobody can > trust what you see in the root certificate, even if some of it > appears in the browser UI. The only way you can actually establish > trust is to do frequent, possibly complicated research." It doesn't > seem right that Google be allowed to unilaterally impose that change > on the global PKI without any discussion from the security > community. As others in this thread have pointed out, this is not a new thing. I wouldn't say that Google is "imposing" this need. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
