Re: Google Trust Services roots

2017-02-10 Thread Ryan Sleevi via dev-security-policy
On Fri, Feb 10, 2017 at 8:00 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I am trying to say that I use the word "issue" as the weakest category, > orders of magnitude less serious than an absolute cause for rejection. And I'm trying to suggest that

Re: Google Trust Services roots

2017-02-10 Thread Jakob Bohm via dev-security-policy
On 10/02/2017 16:34, Ryan Sleevi wrote: On Thu, Feb 9, 2017 at 11:40 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: For clarity, I was pointing out that GTS seems to have chosen a method likely to fail if an when actually needed, due to the typical

Re: Google Trust Services roots

2017-02-10 Thread Ryan Sleevi via dev-security-policy
On Thu, Feb 9, 2017 at 11:40 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > For clarity, I was pointing out that GTS seems to have chosen a method > likely to fail if an when actually needed, due to the typical dynamics > of large human organizations.

RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-10 Thread Inigo Barreira via dev-security-policy
Gerv, I see many "should" in this link. Basically those indicating "should notify Mozilla" and "should follow the physical relocation section". But in physical relocation and personnel changes sections it seems to me thereĀ“s a contradiction because there are some must. Can you explain the

Re: Google Trust Services roots

2017-02-10 Thread Gervase Markham via dev-security-policy
Hi Ryan, On 09/02/17 19:55, Ryan Hurst wrote: > - The EV OID associated with this permission is associated with GlobalSign > and not Google and, Which EV OID are you referring to, precisely? > - GlobalSign is active member in good standing with the respective root > programs and, > - Google

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-10 Thread Gervase Markham via dev-security-policy
On 10/02/17 05:10, Peter Bowen wrote: > On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via >> A) The date Google took control of the GlobalSign roots >> B) The date Google publicly announced GTS >> >> you will see there's quite a big delta. If you assume Google told >> Mozilla about event A)

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-10 Thread Gervase Markham via dev-security-policy
On 10/02/17 06:15, Richard Wang wrote: > I think Mozilla should have a very clear policy for: > (1) If a company that not a public trusted CA acquired a trusted root key, > what the company must do? > (2) If a company is a public trusted CA that acquired a trusted root key, > what the company