On Fri, Mar 31, 2017 at 8:18 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On 30/03/17 15:01, Peter Kurrasch wrote: >> By "not new", are you referring to Google being the second(?) >> instance where a company has purchased an individual root cert from >> another company? It's fair enough to say that Google isn't the first >> but I'm not aware of any commentary or airing of opposing viewpoints >> as to the suitability of this practice going forward. > > As noted, I have no interest in banning this practice because I think > the ecosystem effects would be negative. > >> Has Mozilla received any notification that other companies ‎intend to >> acquire individual roots from another CA? > > Not to my knowledge, but they may have been communicating with Kathleen. > >> Also, does Mozilla have any policies (requirements?) regarding >> individual root acquisition? > > https://wiki.mozilla.org/CA:RootTransferPolicy > and > https://github.com/mozilla/pkipolicy/issues/57 > >> For example, how frequently should roots >> be allowed to change hands? What would Mozilla's response be if >> GalaxyTrust (an operator not in the program) >> were to say that they are acquiring the HARICA root? > > From the above URL: "In addition, if the receiving company is new to the > Mozilla root program, there must also be a public discussion regarding > their admittance to the root program." > > Without completing the necessary steps, GalaxyTrust would not be admitted to > the root program.
I've modified the quoted text a little to try to make this example clearer, as I think the prior example conflated multiple things and used language that did not help clarify the situation. Is the revised example accurate? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy