A couple of points of clarification (as it seems to have stirred some questions) 1. Migration to the DigiCert issuing and validation process only applies to certs intended for browser use, meaning the infrastructure may issue code signing, email, etc certs post Dec 1. These certs will be validated and issued from existing Symantec infrastructure using Symantec validation processes, at least until we finish migration to DigiCert. 2. When I refer to "infrastructure" I mean Symantec's validation and issuing systems related to TLS certificates. We may reuse the front end systems and hardware used to provide these systems post day 1. Note that we definitely plan to migrate customers to a consolidated experience, but I want to be clear and transparent about what is migrating when. Dec 1 is only the TLS backend.
Thanks! Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Jeremy Rowley via dev-security-policy Sent: Tuesday, October 31, 2017 2:08 PM To: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Statement on DigiCert’s Proposed Purchase of Symantec Thanks Gerv and Kathleen. We really appreciate you posting this, and I find the Mozilla guidance extremely helpful. Here's where we are at with the current migration plan: 1) As of Dec. 1, DigiCert will validate and issue all certificates requested through Symantec. Symantec's front end systems, including their certificate management platform, tools, and services, will remain functional and operate as post-close. 2) Post Dec 1, DigiCert plans to consolidate operations onto a single infrastructure, including platforms, tools, user experience, and operations. For Mozilla users, the consolidation means a one path for all validation and certificate issuance. Our new, v2, validation process simplifies the process previously offered by either company while implementing additional checks to detect and prevent mis-issuance. We expect the entire consolidation to take about a year. 3) DigiCert has always considered validation a trusted role that requires extensive training and reviews. As of Dec 1, all former Symantec personnel involved in validation will receive training on DigiCert's operations, systems, and culture. Issuance of certificates will only be permitted after completion of the training. 4) Continuously, we will look to take the best from both company’s processes, and our focus will be on relying on DigiCert’s processes, culture and values and supplementing that with Symantec’s scale to do great things for security. This will happen throughout the consolidation process to ensure we take experiences from both companies and create something amazing. 5) Now that we’ve closed, we can freely pursue the cross-signings discussed on Mozilla (https://bugzilla.mozilla.org/show_bug.cgi?id=1401384). I’m going to make an update on that bugzilla today that shows the final architecture and names of the issuing CAs. The key ceremony is planned for end of this week. Once complete, we’ll add them to CCDAB and distribute them to interested entities. To answer a couple of points directly: * We would be concerned if the combined company continued to operate significant pieces of Symantec’s old infrastructure as part of their day-to-day issuance of publicly-trusted certificates. - All certificates will be issued and validated by DigiCert as of Dec 1. We do not plan to run any of Symantec’s old infrastructure. Post Dec 1, we are consolidating the other systems (API, interfaces, tools, etc) to further eliminate paths into the CA and reduce risk. * We would be concerned if Symantec validation and operations personnel continued their roles without retraining in DigiCert methods and culture. - DigiCert considers validation a trusted role, meaning we require extensive training and reviews. All Symantec validation and operations personnel will use DigiCert’s systems going forward and receive training from DigiCert management. We plan on starting this training right away. In addition, we are consolidating the validation team to a couple of central locations. That combined with the DigiCert validation safeguards should ensure a more robust validation experience. We are also going to work hard on keeping the DigiCert culture alive. We value transparency, employee and customer satisfaction, and security (not necessarily in that order) and want to continue with those virtues. * We would be concerned if Symantec processes appeared to displace DigiCert processes. - What we really hope to do is learn from both DigiCert’s and Symantec’s process to create something new during the transition that is better than either one alone. The integration between the two companies is a perfect time to look at how both companies can improve and implement something more secure and customer friendly. We have some good ideas on what to do, and I can’t wait to see them implemented in practice. From work flows to tools, I think the combination of DigiCert’s culture and Symantec’s manpower will let us move into some interesting and exciting areas. * We would be concerned if the management of the combined company, particularly that part of it providing technical and policy direction and oversight of the PKI, were to appear as if Symantec were the controlling CA organization in the merger. - For management, I’m running the product team, including our efforts in integrating the two companies and processes to ensure compliance with the BRs. Dan Timpson will remain the CTO, Ben Wilson will continue to run compliance, and Jason Sabin will remain over infrastructure and operations. Symantec has some very talented individuals, and I’m looking forward to ramping them up on the DigiCert ways. However, to ensure that only one team is operating the CA and until the integration is complete, all validation and CA systems will be developed and maintained by the existing DigiCert team. Specifically, Rick Roos (who wrote our backend and CT code) will remain responsible for overseeing the CA operations, including ensuring the CA rejects any requests non-compliant with the BRs. Overall, I think we have a great team in place to make this transition happen in a secure and efficient manner. Thanks again for posting Mozilla’s expectations. They really help us align on the migration plan and how we move forward as an organization and community members. Hopefully, I’ve managed to address some of the community concerns. With the restrictions finally lifted, I’m happy to answer any questions about our plans, organization, or the transition. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Gervase Markham via dev-security-policy Sent: Tuesday, October 31, 2017 5:49 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Statement on DigiCert’s Proposed Purchase of Symantec [ Also at https://clicktime.symantec.com/a/1/NU41uT1EbjHLnI8PggJIDoVLmmfwgZrAtiD25E8cK-0=?d=oEVXcm1yf_mnMjW1Ivwx-s3QDnSx3Whlh8PO8rYm6r_DOcnSz-VwMauW5vsFUEnj07mEfNA8DRrYn05WcAnhdp81n7zUODAGRShvkEzQ6SH1gX6Cs4BtHtZIXJXWxZL89AnTCsBtHZtcr21V1FEQawdClIgYDMfH4RK9E1lHJhhiU9Kn40Z8Dg006GVC-st7DhKq1zP7kbdQTUQe1Dn-CwRJg3iL3CuK-jXiyop81NsUplO79tZ-bNA5nwlBf4naj68QOB9Q77usFoFyqAmFR1uoCBMLyhl3pnGK5xBCFCecZx7nvQ9unxh4BpKpp34Wm5W2nWjfuHHiDamswi1Aiewh5R4J43qEgSHzUZxoaCJpnVaC9DmxgTX24oxAs8u_i_J0btNhcUTMDM-Q2RBY_3FZJAM_GvClCpLmmUMk-fLv5iXXSMxast6q-YgyyeRhm631m4KLcVDKXUZc34S83mm66XLpukZB_0FWbj7Ej-tqCfPU2FwlwmNF3Ba-OZlr7qTy&u=https%3A%2F%2Fblog.mozilla.org%2Fsecurity%2F2017%2F10%2F31%2Fstatement-digicerts-proposed-purchase-symantec%2F ] Mozilla’s Root Store Program has taken the position that trust is not automatically transferable between organizations. This is specifically stated in section 8 of our Root Store Policy v2.5[0], which details how Mozilla handles transfers of root certificates between organizations. Mozilla has taken an interest in such transfers, and there is the potential for trust adjustments based on the particular circumstances. The CA DigiCert has announced that it is in negotiations to acquire the CA business of Symantec[1]. This announcement was made following the decision of Mozilla and other root store programs to phase out trust in Symantec’s root certificates[2], based on a detailed investigation[3] of their old and large CA hierarchies and their behaviour and practices over the past few years. There are no plans to change this phase-out of trust in the roots owned by Symantec. While Mozilla does not intend to micro-manage any CA, the final arrangements for management and processes and infrastructure to be used by the combined company is of interest and potential concern to us. It would not be appropriate for a CA to escape root program sanction by restructuring, or by purchasing another CA through M&A and continuing operations under that CA’s name, essentially unchanged. And examination of historical corporate merger and acquisition activity, including deals involving Symantec, show that it’s possible for an M&A billed as the “purchase of B by A” to end up with name A and yet be mostly managed by the executives of B. Representatives of DigiCert have sought guidance from us on the type of arrangements which would and would not cause us concern. In a good faith effort to answer that enquiry, we can make the following, non-exhaustive statements of what would cause Mozilla concern. * We would be concerned if the combined company continued to operate significant pieces of Symantec’s old infrastructure as part of their day-to-day issuance of publicly-trusted certificates. * We would be concerned if Symantec validation and operations personnel continued their roles without retraining in DigiCert methods and culture. * We would be concerned if Symantec processes appeared to displace DigiCert processes. * We would be concerned if the management of the combined company, particularly that part of it providing technical and policy direction and oversight of the PKI, were to appear as if Symantec were the controlling CA organization in the merger. We hope that this provides useful guidance about our concerns, and note that our final opinion of the trustworthiness of the resulting entity will depend on the facts and behavior of the resulting organization. Mozilla reserves the right to include or exclude organizations or root certificates from our root store at our sole discretion. However, if the M&A activity moves forward, we hope that the list above will be helpful to DigiCert in planning for a future harmonious working relationship with the Mozilla Root Program. Gervase Markham Kathleen Wilson [0] https://clicktime.symantec.com/a/1/f0kQHW6d2LuQtR0OZaJiN8tU1KhFM71l38owmt6ruow=?d=oEVXcm1yf_mnMjW1Ivwx-s3QDnSx3Whlh8PO8rYm6r_DOcnSz-VwMauW5vsFUEnj07mEfNA8DRrYn05WcAnhdp81n7zUODAGRShvkEzQ6SH1gX6Cs4BtHtZIXJXWxZL89AnTCsBtHZtcr21V1FEQawdClIgYDMfH4RK9E1lHJhhiU9Kn40Z8Dg006GVC-st7DhKq1zP7kbdQTUQe1Dn-CwRJg3iL3CuK-jXiyop81NsUplO79tZ-bNA5nwlBf4naj68QOB9Q77usFoFyqAmFR1uoCBMLyhl3pnGK5xBCFCecZx7nvQ9unxh4BpKpp34Wm5W2nWjfuHHiDamswi1Aiewh5R4J43qEgSHzUZxoaCJpnVaC9DmxgTX24oxAs8u_i_J0btNhcUTMDM-Q2RBY_3FZJAM_GvClCpLmmUMk-fLv5iXXSMxast6q-YgyyeRhm631m4KLcVDKXUZc34S83mm66XLpukZB_0FWbj7Ej-tqCfPU2FwlwmNF3Ba-OZlr7qTy&u=http%3A%2F%2Fwww.mozilla.org%2Fprojects%2Fsecurity%2Fcerts%2Fpolicy%2F [1] https://www.digicert.com/news/digicert-to-acquire-symantec-website-security-business/ [2] https://clicktime.symantec.com/a/1/z5_9qIdO0U8VnAlrn3SvgPoBEGGFPRw-Gc8HqGYB_0g=?d=oEVXcm1yf_mnMjW1Ivwx-s3QDnSx3Whlh8PO8rYm6r_DOcnSz-VwMauW5vsFUEnj07mEfNA8DRrYn05WcAnhdp81n7zUODAGRShvkEzQ6SH1gX6Cs4BtHtZIXJXWxZL89AnTCsBtHZtcr21V1FEQawdClIgYDMfH4RK9E1lHJhhiU9Kn40Z8Dg006GVC-st7DhKq1zP7kbdQTUQe1Dn-CwRJg3iL3CuK-jXiyop81NsUplO79tZ-bNA5nwlBf4naj68QOB9Q77usFoFyqAmFR1uoCBMLyhl3pnGK5xBCFCecZx7nvQ9unxh4BpKpp34Wm5W2nWjfuHHiDamswi1Aiewh5R4J43qEgSHzUZxoaCJpnVaC9DmxgTX24oxAs8u_i_J0btNhcUTMDM-Q2RBY_3FZJAM_GvClCpLmmUMk-fLv5iXXSMxast6q-YgyyeRhm631m4KLcVDKXUZc34S83mm66XLpukZB_0FWbj7Ej-tqCfPU2FwlwmNF3Ba-OZlr7qTy&u=https%3A%2F%2Fgroups.google.com%2Fa%2Fchromium.org%2Fd%2Fmsg%2Fblink-dev%2FeUAKwjihhBs%2FEl1mH8S6AwAJ [3] https://clicktime.symantec.com/a/1/xVgL3CF92iCCToM4hi2wVewAP0yHtT4Vxb-yyyKX33U=?d=oEVXcm1yf_mnMjW1Ivwx-s3QDnSx3Whlh8PO8rYm6r_DOcnSz-VwMauW5vsFUEnj07mEfNA8DRrYn05WcAnhdp81n7zUODAGRShvkEzQ6SH1gX6Cs4BtHtZIXJXWxZL89AnTCsBtHZtcr21V1FEQawdClIgYDMfH4RK9E1lHJhhiU9Kn40Z8Dg006GVC-st7DhKq1zP7kbdQTUQe1Dn-CwRJg3iL3CuK-jXiyop81NsUplO79tZ-bNA5nwlBf4naj68QOB9Q77usFoFyqAmFR1uoCBMLyhl3pnGK5xBCFCecZx7nvQ9unxh4BpKpp34Wm5W2nWjfuHHiDamswi1Aiewh5R4J43qEgSHzUZxoaCJpnVaC9DmxgTX24oxAs8u_i_J0btNhcUTMDM-Q2RBY_3FZJAM_GvClCpLmmUMk-fLv5iXXSMxast6q-YgyyeRhm631m4KLcVDKXUZc34S83mm66XLpukZB_0FWbj7Ej-tqCfPU2FwlwmNF3Ba-OZlr7qTy&u=https%3A%2F%2Fwiki.mozilla.org%2FCA%3ASymantec_Issues _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://clicktime.symantec.com/a/1/0YahLM4OVyQrBWSY54FDyn-7sEcNJw2mVONncB_rBBA=?d=oEVXcm1yf_mnMjW1Ivwx-s3QDnSx3Whlh8PO8rYm6r_DOcnSz-VwMauW5vsFUEnj07mEfNA8DRrYn05WcAnhdp81n7zUODAGRShvkEzQ6SH1gX6Cs4BtHtZIXJXWxZL89AnTCsBtHZtcr21V1FEQawdClIgYDMfH4RK9E1lHJhhiU9Kn40Z8Dg006GVC-st7DhKq1zP7kbdQTUQe1Dn-CwRJg3iL3CuK-jXiyop81NsUplO79tZ-bNA5nwlBf4naj68QOB9Q77usFoFyqAmFR1uoCBMLyhl3pnGK5xBCFCecZx7nvQ9unxh4BpKpp34Wm5W2nWjfuHHiDamswi1Aiewh5R4J43qEgSHzUZxoaCJpnVaC9DmxgTX24oxAs8u_i_J0btNhcUTMDM-Q2RBY_3FZJAM_GvClCpLmmUMk-fLv5iXXSMxast6q-YgyyeRhm631m4KLcVDKXUZc34S83mm66XLpukZB_0FWbj7Ej-tqCfPU2FwlwmNF3Ba-OZlr7qTy&u=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy