On 5/29/15 4:55 PM, David E. Ross wrote:
On 5/29/2015 2:16 PM, Kathleen Wilson wrote:
On 5/28/15 7:53 PM, David E. Ross wrote:
I have started the wiki page for this, and I will appreciate your
feedback on it.
https://wiki.mozilla.org/CA:RootTransferPolicy
Thanks,
Kathleen
Does the line beginning "In all of these cases, the CA should take ..."
apply only to Physical Relocation? If not, the section beginning with
that line should have its own section header.
It appears that some of the numbered items apply only to Physical
Relocation while others also apply to Change in Legal Ownership. This
appears implied by the statement under Personnel Changes. All of this
is confusing.
I updated the wiki page to hopefully make it more clear.
Thanks,
Kathleen
Under "Change in Legal Ownership", how will Mozilla assure its users
that the new owner is competent to operate as a certification authority?
How quickly will Mozilla assure itself and its users that the new owner
is at least as trustworthy as the old owner? How quickly will users be
informed of the change of ownership?
The "Change in Legal Ownership" section is short because a change in
ownership in itself is not particularly interesting to me. It becomes
interesting to me if the change in ownership means that the root
certificate's private key will be physically moved, and/or that the
organization (people) operating the root certificate and hierarchy will
change.
So, in answer to your questions...
Under "Change in Legal Ownership", how will Mozilla assure its users
that the new owner is competent to operate as a certification authority?
How quickly will Mozilla assure itself and its users that the new owner
is at least as trustworthy as the old owner?
See the "Personnel Changes" section:
"the CA who is transferring the operation of the PKI must ensure that
the transfer recipient is able to fully comply with Mozilla’s CA
Certificate Policy. The original CA will continue to be responsible for
the root certificate until the new organization has provided Mozilla
with their Primary Point of Contact, CP/CPS documentation, and audit
statement confirming successful transfer of the root."
How quickly will users be
informed of the change of ownership?
Not sure what you're asking for here...
Are you saying we should add a requirement for the CAs to notify their
customers?
Or are you asking that there be an announcement in
mozilla.dev.security.policy whenever such a change has happened?
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
