On 30/03/17 15:01, Peter Kurrasch wrote: > By "not new", are you referring to Google being the second(?) > instance where a company has purchased an individual root cert from > another company? It's fair enough to say that Google isn't the first > but I'm not aware of any commentary or airing of opposing viewpoints > as to the suitability of this practice going forward.
As noted, I have no interest in banning this practice because I think the ecosystem effects would be negative. > Has Mozilla received any notification that other companies ‎intend to > acquire individual roots from another CA? Not to my knowledge, but they may have been communicating with Kathleen. > Also, does Mozilla have any policies (requirements?) regarding > individual root acquisition? https://wiki.mozilla.org/CA:RootTransferPolicy and https://github.com/mozilla/pkipolicy/issues/57 > For example, how frequently should roots > be allowed to change hands? What would Mozilla's response be if > WoSign were to say that because of the tarnishing of their own brand > they are acquiring the HARICA root? From the above URL: "In addition, if the receiving company is new to the Mozilla root program, there must also be a public discussion regarding their admittance to the root program." Without completing the necessary steps, WoSign would not be admitted to the root program. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy