DigiCert: Threat of legal action to stifle Bugzilla discourse

[nickf]

Time and money. Plus right now even if you bought the infra, the staff, paid for and passed the audits, and then waiting while Apple, Mozilla, Google and Oracle (at least) included your roots...Microsoft aren't taking more right now. So you have to wait for some unknown time in the future when/if they start doing that again. You could purchase a root off an existing CA, subject to the trust stores approving it, and the boatload of cash you'd need to buy it (plus still having the staff and infra to operate it).

[skissane]

> Microsoft aren't taking more right now. So you have to wait for some unknown time in the future when/if they start doing that again.

Interesting, I hadn’t heard that, is there anywhere I can read more about it?

> You could purchase a root off an existing CA,

As well as a sub-CA, I remember in theory you can have two independent CAs with cross-signing… but do browsers actually support that?

[zinekeller]

"Nothing public to point out to" is probably accurate but it is noted publicly here: https://learn.microsoft.com/en-us/security/trusted-root/new-...

[nickf]

Nothing public to point to, sorry.

Sub-CAs: Not really. Operational risk to the parent CA is huge, you'd be hard pressed to get any current public CA to sign an issuing CA to be operated externally. Cross-signing still works (though it is the stuff of nightmares in many cases) but again you have to have money and a CA willing to do it!

[twisteriffic]

Entrust is/was doing it with ssl.com after they were detrusted.

[nickf]

No, SSLCorp are hosting and managing a CA with Entrust branding. Same as Sectigo are doing. Entrust aren't doing issuance, verification - they're straight reselling from white-labeled issuing CAs.