On Wed, Apr 1, 2026 at 6:56 PM Nico Williams <[email protected]> wrote:
> It was Google who did this. What's the CABF got to do with it? (Though > it does seem like the CABF acquiesced.) To what, exactly, did the CABF acquiesce in this situation? The CABF defines the *minimum* (I wish) standards against which TLS server certificates must be issued for WebPKI uses (where WebPKI means “the somewhat-disjoint set of roots included by the certificate consumers”). It has never, to my knowledge, claimed any jurisdiction over what roots the certificate consumer programs choose to include—for which I am grateful as a participant in both the WebPKI governance community and the web. If you would like them to consider changing that, you may wish to register as an Interested Party and bring your position to the forum members. Google sets its own root policies, as do the other consumers. They vary widely and evolve at their own pace. It’s unfortunate that Google has been the primary driver of improvement to the health of the WebPKI, because there are other players who could be taking a more active role, but it would be much more unfortunate if Google were *also* not doing so. But furthermore, Chrome is not an operating system and does not control what roots are packaged by operating systems for use by things like SMTP servers. I do not know of an SMTP server, at least, that imports the Chrome root set, and if one exists then it should really stop. Most operating systems set their own root store, and in the Linux space that usually means (mis)using *Mozilla’s* root store, not Chrome’s. (Not affiliated with Google except as a fellow participant in WebPKI governance.) Mike
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
