* Peter Kurrasch via dev-security-policy:

> By "not new", are you referring to Google being the second(?) instance
> where a company has purchased an individual root cert from another
> company? It's fair enough to say that Google isn't the first but I'm
> not aware of any commentary or airing of opposing viewpoints as to the
> suitability of this practice going forward.

I think most of the DNs in the Mozilla root store still do not reflect
reality.  The restrictions on certificate naming do not apply to the
CAs themselves.  This is due to the way PKIX validation works.
Correcting the DNs would break the certificate chains.
dev-security-policy mailing list

Reply via email to