Thanks, PeterIndeed, you just quoted the same parts from the documentation that I did in my 2021-12-29 email.According to CPS two different legal entities declared to have been representing the CA just because one "is part of" another which according to Mozilla policy means "legal ownership" that has nothing to do with the CA operations.Sorry, I’m confused that while you don’t see problems here, but at the same time proposing improvements to Mozilla policy - isn’t this "customization of rules" to the needs of a specific legal entity? While this is quite typical for Telia Company AB’s eIDAS related practices, I’m very concerned its happening here.Thanks,M.D.Sent from my Galaxy -------- Original message --------From: Peter Bowen <[email protected]> Date: 1/10/22 22:26 (GMT+02:00) To: md <[email protected]> Cc: "[email protected]" <[email protected]>, [email protected], "[email protected]" <[email protected]>, Ryan Sleevi <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 On Mon, Jan 10, 2022 at 11:05 AM md <[email protected]> wrote:>> Thanks, Peter>> Below I’m relying on the Mozilla policy (MP) published here:> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/>> You say you are confused and looks like because of following:>> 1. Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249).>> Please note Telia Finland Oyj is a legal entity with its own BusinessID, material/human resources, management and location (see MP section 3.1.4 (13)).>> As "CAs SHOULD NOT assume that trust is transferable" (MP section 8), using the MP terminology the relationship between Telia Company AB and Telia Finland Oyj is "legal ownership". Feel free to rely on any privileges the policy assumes for this kind of ownership parties.>> The reason of confuse is mixing two different terms "legal omwnership" and "CA operations" (as in MP section 8.2).>> 2. "It also seems clear to me that Telia Company AB has overall control of> the CA operations, as they are the responsible party as documented in> the WebTrust management assertion and addressed in the auditor's> opinion.">> See, this needs to be clear not only to highly skilled professional like yourself, but also to relying parties. I’ve no problem with Telia Company AB or Telia Finland Oyj being a CA, however I have big problem for both of them pretending to be PKI participant with undisclosed roles - in this context ”has overall control” is misunderstanding, again, see MP section 8.2.>> ************>>> I’m afraid your good example below is not applicable to this case - those companies, If I understood correctly, have contractual relationship, whereas in our case all we have is "is part of" which means the legal owner (Telia Company AB) controls shares of another legal entity (Telia Finland Oyj). This has nothing to do with CA operations.From the Telia CA audit reports: "Telia Company AB (Telia) operatesthe Certificate Authority (CA) services as listed in Appendix A" (thefirst sentence ofhttps://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf).From that same file, KPMG conducted their procedures as per ISAE 3000,which requires KPMG to determine the "responsible party". KPMGclearly states that it is "Telia Company AB" in their opinion letter.Given the root certificate currently under discussion is not part ofthe root program, and the ownership and control seem to be clearlystated, I do not see an issue here.There may be a separate concern that the operations of the"TeliaSonera Root CA v1" CA were transferred at some point. Mozillapolicy does not require public notice of transfer - notice can beprovided to Mozilla privately. Given this, it is not possible toidentify if notice was provided.From this discussion, it does seem that Mozilla should consider a few actions:1) Update the policy to require disclosure of the legal entity thatowns the CA private key (instead of the CA certificate)2) Update the policy to require disclosure in the CCADB, for each rootCA and subordinate CA, of:* the legal entity that owns CA private key* the legal entity that is the operator of the CA and is either the"Responsible Party" (ISAE 3000) or employer/contractor of the"Management and Those Charged With Governance" (AT-C 801) of the CA3) Clarify how the community will be notified of changes, given thepolicy says that "Mozilla will normally keep commercially sensitiveinformation confidential."Thanks,Peter
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61dca136.1c69fb81.5a5fe.43e9%40mx.google.com.
