On Thu, Mar 29, 2018 at 2:12 PM, Ryan Sleevi <r...@sleevi.com> wrote:
> > > On Thu, Mar 29, 2018 at 4:03 PM, Wayne Thayer <wtha...@mozilla.com> wrote: > >> On Thu, Mar 29, 2018 at 8:53 AM, Ryan Sleevi <r...@sleevi.com> wrote: >> >>> >>> On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy < >>> dev-security-policy@lists.mozilla.org> wrote: >>> >>>> When the Francisco Partners acquisition of Comodo was announced, it was >>>> pointed out [1] that a strict reading of the current policy section 8.1 >>>> would have forced Comodo to stop issuing certificates for some period of >>>> time: >>>> >>>> If the receiving or acquiring company is new to the Mozilla root >>>> program, >>>> > there MUST be a public discussion regarding their admittance to the >>>> root >>>> > program, which Mozilla must resolve with a positive conclusion before >>>> > issuance is permitted. >>>> > >>>> >>>> I propose that we update section 8.1 to distinguish between root >>>> transfers >>>> and acquisition of or investment in a CA organization, with the latter >>>> cases allowing issuance to continue during the discussion period. >>>> >>>> During the earlier discussion on this topic [1], it was also proposed >>>> that >>>> we require the receiving or acquiring company to make no changes during >>>> the >>>> discussion period and that we require all material changes anticipated >>>> as a >>>> result of the investment or acquisition to be publicly disclosed by the >>>> CA. >>>> >>>> This is: https://github.com/mozilla/pkipolicy/issues/109 >>>> >>>> [1] >>>> https://groups.google.com/d/msg/mozilla.dev.security.policy/ >>>> AvGlsb4BAZo/gQe5ggE6BQAJ >>> >>> >>> I'm having a little bit of difficulty imagining what you see the change >>> looking like. Do you have draft text in mind, to look for possible >>> exploitable loopholes? >>> >>> Here's a proposal: https://github.com/mozilla/pki >> policy/commit/565250b9bbc16c1a4e3d4165f0171e8702b2b21d >> > > Thanks, that's much easier to visualize. > > I think it's a positive change, but it may be worth emphasizing that a > complete change in ownership does not otherwise exempt a CA from the other > reporting - such as changes in operational personnel, material changes in > the CA's operations (CP/CPS), etc. This is covered by Section 8.2 and 8 > overall, so it may not bear mentioning explicitly, or it may be worth > noting that the receiving or acquiring company will be bound by the policy, > in full, including any notifications of further changes. > To address this comment, I added the statement "...it must comply with the entirety of this policy...". With both changes, section 8.1 would read as follows: > This section applies when one company buys or takes a controlling stake in > a CA, or when an organization buys the private key of a certificate in > Mozilla's root program. > > Mozilla MUST be notified of any resulting changes in the CA's CP or CPS. > > If the receiving or acquiring company is new to the Mozilla root program, > it must comply with the entirety of this policy and there MUST be a public > discussion regarding their admittance to the root program, which Mozilla > must resolve with a positive conclusion in order for the affected > certificate(s) to remain in the root program. If the entire CA operation is > not included in the scope of the transaction, issuance is not permitted > until the discussion has been resolved with a positive conclusion. > Unless there are further comments on this topic, I'll include this change in version 2.6 - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy