Further to David's points, I'm wondering how far Mozilla would be willing to go when a controversial transfer is proposed. Is removal from the trust store on the table?
For example suppose DigiNotar wants to get back in the cert business and buys up GoDaddy, what would we do then? Original Message From: David E. Ross Sent: Tuesday, June 2, 2015 4:32 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Policy about root cert transfers On 6/2/2015 10:44 AM, Kathleen Wilson wrote: > > I've re-written the "Change in Legal Ownership" section. Please send me > feedback on the new version, and let me know if this is heading in the > right direction. > > https://wiki.mozilla.org/CA:RootTransferPolicy#Change_in_Legal_Ownership > > Thanks, > Kathleen > > That section does not address the case when ownership of the organization changes with the new owner retaining the old owner's physical facilities and personnel but with new organizational policies. My 40+ years as a computer programmer and a software test engineer (prior to retirement) shows that this is a very real situation; I experienced this more than once. If the organization's policies change, that might include the CP/CPS. Even if those two documents do not change, higher-level organizational policy changes might impact adherence to the CP/CPS. Thus, a change of ownership of either the certification authority or a root certificate requires some review by Mozilla beyond what is proposed. Furthermore, I do think customers of the old certification authority must be informed of the change of ownership. This is standard practice for banks, physicians, attorneys, and other entities where trust between the provider of a service and its customers is important. By "customers", I would include both subscribers (notified by the old owner) and end-users (notified here in mozilla.dev.security.policy). -- David E. Ross I am sticking with SeaMonkey 2.26.1 until saved passwords can be used when autocomplete=off. See <https://bugzilla.mozilla.org/show_bug.cgi?id=433238>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
