On 6/1/2015 2:45 PM, Kathleen Wilson wrote: > On 5/29/15 4:55 PM, David E. Ross wrote: >> On 5/29/2015 2:16 PM, Kathleen Wilson wrote: >>> On 5/28/15 7:53 PM, David E. Ross wrote: >>>>> I have started the wiki page for this, and I will appreciate your >>>>> feedback on it. >>>>> >>>>> https://wiki.mozilla.org/CA:RootTransferPolicy >>>>> >>>>> Thanks, >>>>> Kathleen >>>>> >>>> >>>> >>>> Does the line beginning "In all of these cases, the CA should take ..." >>>> apply only to Physical Relocation? If not, the section beginning with >>>> that line should have its own section header. >>>> >>>> It appears that some of the numbered items apply only to Physical >>>> Relocation while others also apply to Change in Legal Ownership. This >>>> appears implied by the statement under Personnel Changes. All of this >>>> is confusing. >>>> >>> >>> I updated the wiki page to hopefully make it more clear. >>> >>> Thanks, >>> Kathleen >>> >> >> Under "Change in Legal Ownership", how will Mozilla assure its users >> that the new owner is competent to operate as a certification authority? >> How quickly will Mozilla assure itself and its users that the new owner >> is at least as trustworthy as the old owner? How quickly will users be >> informed of the change of ownership? >> > > > The "Change in Legal Ownership" section is short because a change in > ownership in itself is not particularly interesting to me. It becomes > interesting to me if the change in ownership means that the root > certificate's private key will be physically moved, and/or that the > organization (people) operating the root certificate and hierarchy will > change. > > So, in answer to your questions... > >>> Under "Change in Legal Ownership", how will Mozilla assure its users >>> that the new owner is competent to operate as a certification authority? >>> How quickly will Mozilla assure itself and its users that the new owner >>> is at least as trustworthy as the old owner? > > See the "Personnel Changes" section: > "the CA who is transferring the operation of the PKI must ensure that > the transfer recipient is able to fully comply with Mozilla’s CA > Certificate Policy. The original CA will continue to be responsible for > the root certificate until the new organization has provided Mozilla > with their Primary Point of Contact, CP/CPS documentation, and audit > statement confirming successful transfer of the root." > >>> How quickly will users be >>> informed of the change of ownership? > > Not sure what you're asking for here... > > Are you saying we should add a requirement for the CAs to notify their > customers? > > Or are you asking that there be an announcement in > mozilla.dev.security.policy whenever such a change has happened? > > Kathleen > > >
No, I disagree that a change of ownership is a change of personnel. I have worked as an employee through three changes in the ownership of my employer without seeing a change in the technical personnel. However, each change of ownership involved wholesale changes in policies and practices. In one other case, I worked for a software contractor at a NASA facility where all the contracting companies were terminated; but some of the contractor's employees immediately went to work directly for NASA. Thus, changing ownership of a certification authority (an organization) or of a root certificate is not necessarily covered by Personnel Changes. Now that I think of it, any of the three -- Change in Legal Ownership, Physical Relocation, and Personnel Changes -- should indeed be announced here in mozilla.dev.security.policy; this is where individual who might be concerned about such a change or know of an adverse impact from the change would be a subscriber. Furthermore, since any such change might mean different costs for subscribers to renew a certificate, different domains for E-mail and downloading intermediate certificates, different technical help contacts, or a conflict of business interests, the (old) certification authority should indeed notify its customers. -- David E. Ross I am sticking with SeaMonkey 2.26.1 until saved passwords can be used when autocomplete=off. See <https://bugzilla.mozilla.org/show_bug.cgi?id=433238>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
