On Mon, Jan 10, 2022 at 1:12 PM Moudrick M. Dadashov <[email protected]> wrote: > > Thanks, Peter > > Indeed, you just quoted the same parts from the documentation that I did in > my 2021-12-29 email. > > According to CPS two different legal entities declared to have been > representing the CA just because one "is part of" another which according to > Mozilla policy means "legal ownership" that has nothing to do with the CA > operations.
I'm not looking whether one company is owned by another, so "is part of" does not matter. I'm looking at the audit reports which, but the definition of ISAE 3000, list the "responsible party". My interpretation is that "responsible party" is equivalent to "ownership or control of the CA’s operations" in the Mozilla policy. As you call out, the CPS says "The legal entity responsible of Telia CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9)". Based on the audit report, Telia Finland Oyj is NOT the responsible party for the operations of the CA. Prior messages stated that Telia Finland is the legal owner. This indicates Telia Finland has "ownership or control of the CA’s certificate(s)". > Sorry, I’m confused that while you don’t see problems here, but at the same > time proposing improvements to Mozilla policy - isn’t this "customization of > rules" to the needs of a specific legal entity? I know from working for multiple companies that had operations in different countries and different tax jurisdictions that it is very common to have people employed by different legal entities who work together as a single team. I frequently have not known which company my colleagues legally work for - it just doesn't matter for day to day purposes. At one point I worked for XYZ Canada Ltd, my boss worked for ABC GmbH, his boss worked for XYZ Inc in the US. The person working for XYZ Inc was the senior vice president and general manager for ABC and had responsibility and control of ABC, even if he didn't work for ABC GmbH. At another group of companies, we had people from multiple legal entities working in the same building side by side. The fact that I worked for Example PQR LLC and my colleague worked for Example JKL LLC was only found if you looked at the details for entries in the corporate directory. We both had email addresses ending in @example.com. This seems normal and common to me. I'm suggesting improvements in Mozilla policy because this discussion has shown the current policy does not provide clarity as to legal entities and because you have reasonably called out that having clarity is beneficial to transparency. This lack of claity is not unique to Telia; for example, the Globalsign CPS says "GlobalSign NV/SA and affiliated entities". Given the lack of requirement of public disclosure of the owner of the private key/certificate, I'm not sure how many other CAs in the Mozilla program have separation between the operator and key owner. > While this is quite typical for Telia Company AB’s eIDAS related practices, > I’m very concerned its happening here. I have zero experience with eIDAS, so I cannot comment on eIDAS-related practices. Thanks, Peter > > Thanks, > M.D. > > > Sent from my Galaxy > > > -------- Original message -------- > From: Peter Bowen <[email protected]> > Date: 1/10/22 22:26 (GMT+02:00) > To: md <[email protected]> > Cc: "[email protected]" <[email protected]>, > [email protected], "[email protected]" > <[email protected]>, Ryan Sleevi <[email protected]> > Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 > > On Mon, Jan 10, 2022 at 11:05 AM md <[email protected]> wrote: > > > > Thanks, Peter > > > > Below I’m relying on the Mozilla policy (MP) published here: > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > > > > You say you are confused and looks like because of following: > > > > 1. Telia Finland Oyj is part of Swedish company “Telia Company AB” > > (BusinessID 5561034249). > > > > Please note Telia Finland Oyj is a legal entity with its own BusinessID, > > material/human resources, management and location (see MP section 3.1.4 > > (13)). > > > > As "CAs SHOULD NOT assume that trust is transferable" (MP section 8), using > > the MP terminology the relationship between Telia Company AB and Telia > > Finland Oyj is "legal ownership". Feel free to rely on any privileges the > > policy assumes for this kind of ownership parties. > > > > The reason of confuse is mixing two different terms "legal omwnership" and > > "CA operations" (as in MP section 8.2). > > > > 2. "It also seems clear to me that Telia Company AB has overall control of > > the CA operations, as they are the responsible party as documented in > > the WebTrust management assertion and addressed in the auditor's > > opinion." > > > > See, this needs to be clear not only to highly skilled professional like > > yourself, but also to relying parties. I’ve no problem with Telia Company > > AB or Telia Finland Oyj being a CA, however I have big problem for both of > > them pretending to be PKI participant with undisclosed roles - in this > > context ”has overall control” is misunderstanding, again, see MP section > > 8.2. > > > > ************ > > > > > > I’m afraid your good example below is not applicable to this case - those > > companies, If I understood correctly, have contractual relationship, > > whereas in our case all we have is "is part of" which means the legal owner > > (Telia Company AB) controls shares of another legal entity (Telia Finland > > Oyj). This has nothing to do with CA operations. > > From the Telia CA audit reports: "Telia Company AB (Telia) operates > the Certificate Authority (CA) services as listed in Appendix A" (the > first sentence of > https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf). > From that same file, KPMG conducted their procedures as per ISAE 3000, > which requires KPMG to determine the "responsible party". KPMG > clearly states that it is "Telia Company AB" in their opinion letter. > > Given the root certificate currently under discussion is not part of > the root program, and the ownership and control seem to be clearly > stated, I do not see an issue here. > > There may be a separate concern that the operations of the > "TeliaSonera Root CA v1" CA were transferred at some point. Mozilla > policy does not require public notice of transfer - notice can be > provided to Mozilla privately. Given this, it is not possible to > identify if notice was provided. > > From this discussion, it does seem that Mozilla should consider a few actions: > 1) Update the policy to require disclosure of the legal entity that > owns the CA private key (instead of the CA certificate) > 2) Update the policy to require disclosure in the CCADB, for each root > CA and subordinate CA, of: > * the legal entity that owns CA private key > * the legal entity that is the operator of the CA and is either the > "Responsible Party" (ISAE 3000) or employer/contractor of the > "Management and Those Charged With Governance" (AT-C 801) of the CA > 3) Clarify how the community will be notified of changes, given the > policy says that "Mozilla will normally keep commercially sensitive > information confidential." > > Thanks, > Peter -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAK6vND_sn383ykw_Y9j1oKs9fvdPAJ_QPEtjReroR5YYNWno3A%40mail.gmail.com.
