On Wed, Jun 15, 2016 at 12:02 AM, <[email protected]> wrote: > The integrity of Symantec’s public certification authority will not be > impacted as a result of the Blue Coat acquisition. Until the acquisition > is complete, Symantec and Blue Coat will continue to operate as two > separate companies. Once the transaction is complete, Symantec’s public CA > infrastructure and capabilities will continue to remain separate and > independent from Blue Coat’s technology and products.
Thanks for the response, Sanjay. This is a pretty general statement, and doesn't definitively answer whether Blue Coat can be said to be "not in possession of the private key". From what you're saying, it sounds like they *will* enter into possession of the private key in at least a legal sense. Depending on how you implement the business separation, BC could be argued to be in possession of the private key in other senses too. Symantec should update its official statement to reflect this, so that the statement doesn't become inaccurate once the acquisition is complete. > In addition, > policies and governance will be established to ensure the public CA > operations will not be used to facilitate packet inspection in the Blue > Coat offerings that will become a part of Symantec’s portfolio. > I hate to pepper you with questions, but this raises several: Will this mean technical controls that restrict issuance beyond what would otherwise have been allowed? Will Symantec publish those policies publicly? Will Symantec seek feedback from this community before finalizing them? -- Eric > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
