On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On 09/02/17 14:32, Gijs Kruitbosch wrote: >> Would Mozilla's root program consider changing this requirement so that >> it *does* require public disclosure, or are there convincing reasons not >> to? At first glance, it seems like 'guiding' CAs towards additional >> transparency in the CA market/industry/... might be helpful to people >> outside Mozilla's root program itself. > > This would require CAs and companies to disclose major product plans > publicly well in advance of the time they would normally disclose them. > I won't dig out the dates myself, or check the emails, but if you look > for the following dates from publicly-available information: > > A) The date Google took control of the GlobalSign roots > B) The date Google publicly announced GTS > > you will see there's quite a big delta. If you assume Google told > Mozilla about event A) before it happened, then you can see the problem.
Google says they took control on 11 August 2016. On 19 October 2016, Google publicly stated "Update on the Google PKI: new roots were generated and web trust audits were performed, the report on this is forthcoming," (https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Google) Google didn't file with Mozilla until 22 December 2016, and I suspect that was only because I happened to run across their staged website: https://twitter.com/pzb/status/812103974220222465 I appreciate the business realities of pre-disclosure, but that is not the case here. There is no excuse for having taken control of existing roots and not disclosing such once they disclosed that they are intending to become a root CA. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
