I have made the following changes to https://wiki.mozilla.org/CA/Root_Inclusion_Considerations#Concerning_Behavior
1) Clarified the intent of this section in the first paragraph: The following situations are concerning *in aggregate*; meaning that a concern would be raised when a collection (several) of the main bullet points below happen. These *concerns in aggregate* may lead to Mozilla denying the CA operator's root inclusion request. If the CA operator currently has root certificates in Mozilla's root store and these *concerns in aggregate* apply, then Mozilla should perform a risk versus value assessment, and may remove those root certificates or set them to be distrusted after a specified date. 2) Clarified what is meant by "auditor": The CA's auditor (i.e. the third-party auditing organization <https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications>) has not audited other CAs whose root certificates are already included in Mozilla’s Root store. Hope that helps with the recent feedback. Thanks to all of you, and looking forward to more feedback on this draft. Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/e6c89435-5442-49fd-9dd5-e57b57f88ae8n%40mozilla.org.
