Mozilla's rules are public so you can go read them, and indeed you can help write them. But most famously they required all CAs to disclose loads of stuff, and they require CAs to do lots of stuff in public where everybody can see it, not behind closed doors where we don't know what they're up to.
Google's rules include lots of stuff about their Certificate Transparency idea, which has helped no end.
Microsoft's rules famously include them getting a veto where they can order any CA to revoke a certificate or else leave their trust programme. They mostly use this to zap malware / phishing sites.
Apple's rules forbid having lots of roots at once. Although apparently this didn't apply to Symantec, or various other people. Huh.
Mozilla's rules are public so you can go read them, and indeed you can help write them. But most famously they required all CAs to disclose loads of stuff, and they require CAs to do lots of stuff in public where everybody can see it, not behind closed doors where we don't know what they're up to.
Google's rules include lots of stuff about their Certificate Transparency idea, which has helped no end.
Microsoft's rules famously include them getting a veto where they can order any CA to revoke a certificate or else leave their trust programme. They mostly use this to zap malware / phishing sites.
Apple's rules forbid having lots of roots at once. Although apparently this didn't apply to Symantec, or various other people. Huh.