So, how about a more realistic scenario where TeliaSonera buys whatever foreign legislation needed for its baby CA in Estonia?
Since our 3 years discussion on this list I'm personally in favor of pure technocratic approach: - define what constitutes the critical infrastructure (e.g. communication channels, network access/management, application service delivery); - name management/ownership/operational conditions under which the infrastructure should not be considered "publicly trusted".
Of course, this implies full disclosure of business organization in terms of the infrastructure building blocks above.
Thanks, M.D. On 6/3/2015 1:29 AM, Peter Kurrasch wrote:
Further to David's points, I'm wondering how far Mozilla would be willing to go when a controversial transfer is proposed. Is removal from the trust store on the table? For example suppose DigiNotar wants to get back in the cert business and buys up GoDaddy, what would we do then? Original Message From: David E. Ross Sent: Tuesday, June 2, 2015 4:32 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Policy about root cert transfers On 6/2/2015 10:44 AM, Kathleen Wilson wrote:I've re-written the "Change in Legal Ownership" section. Please send me feedback on the new version, and let me know if this is heading in the right direction. https://wiki.mozilla.org/CA:RootTransferPolicy#Change_in_Legal_Ownership Thanks, KathleenThat section does not address the case when ownership of the organization changes with the new owner retaining the old owner's physical facilities and personnel but with new organizational policies. My 40+ years as a computer programmer and a software test engineer (prior to retirement) shows that this is a very real situation; I experienced this more than once. If the organization's policies change, that might include the CP/CPS. Even if those two documents do not change, higher-level organizational policy changes might impact adherence to the CP/CPS. Thus, a change of ownership of either the certification authority or a root certificate requires some review by Mozilla beyond what is proposed. Furthermore, I do think customers of the old certification authority must be informed of the change of ownership. This is standard practice for banks, physicians, attorneys, and other entities where trust between the provider of a service and its customers is important. By "customers", I would include both subscribers (notified by the old owner) and end-users (notified here in mozilla.dev.security.policy).
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
