On Thu, Jun 8, 2017 at 9:38 AM, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > As the linked proposal was worded (I am not on Blink mailing lists), it > seemed obvious that the original timeline was: > > Later: Once the new roots are generally accepted, Symantec can actually > issue from the new SubCAs. > > Long term: CRL and OCSP management for the managed SubCAs remain with the > third party CAs. This continues until the managed SubCAs expire or are > revoked.
I don't see this last part in the proposal. Instead the proposal appears to specifically contemplate the SubCAs being transferred to Symantec once the new roots are accepted in the required trust stores. Additionally, there is no policy, as far as I know, that governs transfer of non-Root CAs. This is possibly a gap, but an existing one. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy