On Fri, Mar 31, 2017 at 8:18 AM, Gervase Markham via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> On 30/03/17 15:01, Peter Kurrasch wrote:
>> By "not new", are you referring to Google being the second(?)
>> instance where a company has purchased an individual root cert from
>> another company? It's fair enough to say that Google isn't the first
>> but I'm not aware of any commentary or airing of opposing viewpoints
>> as to the suitability of this practice going forward.
> As noted, I have no interest in banning this practice because I think
> the ecosystem effects would be negative.
>> Has Mozilla received any notification that other companies ‎intend to
>> acquire individual roots from another CA?
> Not to my knowledge, but they may have been communicating with Kathleen.
>> Also, does Mozilla have any policies (requirements?) regarding
>> individual root acquisition?
> https://wiki.mozilla.org/CA:RootTransferPolicy
> and
> https://github.com/mozilla/pkipolicy/issues/57
>> For example, how frequently should roots
>> be allowed to change hands? What would Mozilla's response be if
>> GalaxyTrust (an operator not in the program)
>> were to say that they are acquiring the HARICA root?
> From the above URL: "In addition, if the receiving company is new to the
> Mozilla root program, there must also be a public discussion regarding
> their admittance to the root program."
> Without completing the necessary steps, GalaxyTrust would not be admitted to
> the root program.

I've modified the quoted text a little to try to make this example
clearer, as I think the prior example conflated multiple things and
used language that did not help clarify the situation.

Is the revised example accurate?

dev-security-policy mailing list

Reply via email to