On 01/04/17 05:57, Peter Bowen wrote: > The GeoRoot program was very similar to that offered by many CAs a few > years ago. CyberTrust (then Verizon, now DigiCert) has the OmniRoot > program, Entrust has a root signing program[1], and GlobalSign Trusted > Root[2] are just a few examples.
While this is true, it's not just about the existence of the legacy program with problems, but about how the situation is handled. Verizon were not able to bring their program into BR compliance; DigiCert bought it and worked closely with Mozilla to generate some breathing space for them to clean the system up. They posted public plans, kept us informed of the issues found and their plans for remediation, and completed the work pretty much on time. The Web PKI is a better place for it. This does not seem to be the approach taken by Symantec, if we accept Ryan's account of events. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
