I've been looking at Section 8.1 of the Mozilla CA policy, and I think you could easily game the disclosure requirements to avoid any notice to Mozilla or the community. I think this is a problem and should be corrected with updated language. I would love your thoughts as I'm not exactly sure where the line for disclosure should be. Personally, I like erring on the side of too much disclosure instead of too little.
Section 8.1: "This section applies when one company buys or takes a controlling stake in a CA or CA operator, or when an organization obtains control of a CA key pair that is within the scope of Mozilla's root store, unless it is constrained in compliance with section 5.3.1 of this policy. Mozilla MUST be notified of any resulting changes in the CA operator's CP, CPS, or combined CP/CPS." The biggest issue I see is that you can have an acquisition that looks like this Company1 and Company2 want to do a deal with Cpompany1 acquiring Company2's assets. Company2 integrates Company1's CA into its issuance. Company1 takes over all operations of Company2 but leaves the CA housed in Company2's data center. Company2 contracts with Company1 for them to operate the CA in the datacenter. Now, Company1 has taken over Company2 without triggering the disclosure requirement despite Company1 effectively operating the CA. This was an asset sale only so no legal takeover happened. The CA remains under documented control of Company2 despite Company1 providing all the operations. Its essentially a farce to get around the disclosure requirements - and I think it works with the current language. I'd recommend that the language be updated similar to the following: Section 8.1: "This section applies to: a) whenever one company with a trusted root certificate acquires the assets or a controlling stake in another company with a trusted root certificate, b) whenever one company with a trusted root certificate takes over operations of the CA Systems (as defined in the CAB Forum's Network Security Requirements) of another company with a trusted root certificate, c) whenever one company with a trusted root certificate is the final approval on issuance of a certificate by another company with a trusted root certificate, and d) whenever one company with a trusted root certificate assumes any operation, management responsibility, or access to another company's trusted root certificate. In these cases, Mozilla must be notified at least 15 days before such activity occurs and recommends providing notice to the public through a public post on Mozilla's Dev Sec Google Group. Thoughts? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/fbe14908-a79a-4e1e-b0cd-91aea2c35f60n%40mozilla.org.
