When the Francisco Partners acquisition of Comodo was announced, it was pointed out [1] that a strict reading of the current policy section 8.1 would have forced Comodo to stop issuing certificates for some period of time:
If the receiving or acquiring company is new to the Mozilla root program, > there MUST be a public discussion regarding their admittance to the root > program, which Mozilla must resolve with a positive conclusion before > issuance is permitted. > I propose that we update section 8.1 to distinguish between root transfers and acquisition of or investment in a CA organization, with the latter cases allowing issuance to continue during the discussion period. During the earlier discussion on this topic [1], it was also proposed that we require the receiving or acquiring company to make no changes during the discussion period and that we require all material changes anticipated as a result of the investment or acquisition to be publicly disclosed by the CA. This is: https://github.com/mozilla/pkipolicy/issues/109 [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/AvGlsb4BAZo/gQe5ggE6BQAJ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
