On Thu, Mar 29, 2018 at 4:03 PM, Wayne Thayer <wtha...@mozilla.com> wrote:
> On Thu, Mar 29, 2018 at 8:53 AM, Ryan Sleevi <r...@sleevi.com> wrote: > >> >> On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> When the Francisco Partners acquisition of Comodo was announced, it was >>> pointed out [1] that a strict reading of the current policy section 8.1 >>> would have forced Comodo to stop issuing certificates for some period of >>> time: >>> >>> If the receiving or acquiring company is new to the Mozilla root program, >>> > there MUST be a public discussion regarding their admittance to the >>> root >>> > program, which Mozilla must resolve with a positive conclusion before >>> > issuance is permitted. >>> > >>> >>> I propose that we update section 8.1 to distinguish between root >>> transfers >>> and acquisition of or investment in a CA organization, with the latter >>> cases allowing issuance to continue during the discussion period. >>> >>> During the earlier discussion on this topic [1], it was also proposed >>> that >>> we require the receiving or acquiring company to make no changes during >>> the >>> discussion period and that we require all material changes anticipated >>> as a >>> result of the investment or acquisition to be publicly disclosed by the >>> CA. >>> >>> This is: https://github.com/mozilla/pkipolicy/issues/109 >>> >>> [1] >>> https://groups.google.com/d/msg/mozilla.dev.security.policy/ >>> AvGlsb4BAZo/gQe5ggE6BQAJ >> >> >> I'm having a little bit of difficulty imagining what you see the change >> looking like. Do you have draft text in mind, to look for possible >> exploitable loopholes? >> >> Here's a proposal: https://github.com/mozilla/pkipolicy/commit/ > 565250b9bbc16c1a4e3d4165f0171e8702b2b21d > Thanks, that's much easier to visualize. I think it's a positive change, but it may be worth emphasizing that a complete change in ownership does not otherwise exempt a CA from the other reporting - such as changes in operational personnel, material changes in the CA's operations (CP/CPS), etc. This is covered by Section 8.2 and 8 overall, so it may not bear mentioning explicitly, or it may be worth noting that the receiving or acquiring company will be bound by the policy, in full, including any notifications of further changes. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
