Hi Nick,
I guess the concern is about the management of the NSS-included Entrust Roots, since they are distrusted in a "NOT_AFTER" fashion while there are other Browsers and Certificate Consumers that do not support that type of distrust.
In any case, I believe Bruce Morton's response was clear that Entrust will continue to manage their existing Roots according to the applicable requirements, and IMHO that addresses these concerns.
On that end, perhaps the public announcement <https://www.entrust.com/company/newsroom/entrust-sells-public-certificate-business-to-sectigo> could be a bit more clear about which parts of the "Public Certificate Business" are moving to SECTIGO and which parts remain to ENTRUST (and for how long).
Dimitris.On 31/1/2025 11:29 π.μ., 'Nick France' via [email protected] wrote:
Thanks Jeremy,Again, to be clear - this is a very different situation than Symantec. As stated before, we are not acquiring staff, systems, infrastructure, or the roots.Entrust roots have already been distrusted - unlike with Symantec when there had to be a transition plan for that distrust.Entrust are operating today as a reseller, of both Sectigo and SSL.com. This is no different to how we and other CAs already operate resellers today.Specific plans on any transition of customers from the Entrust platform to Sectigo is still being discussed and developed.Nick On Thursday, January 30, 2025 at 3:19:48 PM UTC Jeremy Rowley wrote: Thank you for the carefully crafted corporate message that didn't actually answer the question. I think MDSP deserves more details than being presented. For example, in the Symantec acquisition, none of the front-ends managed compliance. Yet, DigiCert was required to submit a plan to deprecate those to ensure simplicity and remove potential pathways through the system even though Symantec's systems were not doing the validation or issuance. Can you provide some details here about the proposed structure and integration? This seems appropriate given past acquisitions. On Thu, Jan 30, 2025 at 7:58 AM 'Bruce Morton' via [email protected] <[email protected]> wrote: While we are developing the future customer experience plans with Sectigo and until issuance of publicly trusted certificates has transitioned to Sectigo, Entrust is committed to continuing to all operations in accordance with the applicable requirements. On Wednesday, January 29, 2025 at 4:14:25 PM UTC-5 Jeremy Rowley wrote: Thanks Nick - that makes sense. One question though - who is maintaining the front end systems? Will Entrust still be supporting those with Sectigo issuing? If they fall apart, will Sectigo be maintaining them or Entrust? On Wed, Jan 29, 2025 at 1:37 PM 'Nick France' via [email protected] <[email protected]> wrote: Jeremy, Wayne: For clarity, the acquisition was of customers and customer contracts. Sectigo is not taking over or transferring any systems, infrastructure or staff from Entrust as part of this deal. This is different to the transition of Symantec back in 2017/2018. The recently-announced reseller integration will continue (which was discussed in advance with relevant parties) with customers obtaining certificates via Entrust systems utilising that integration. The distrusted roots remain with Entrust with no current plans to move them - should that change, notice will be given as required to trust-store operators and browsers. All certificates will be issued from Sectigo CA systems, using Sectigo roots and issuing CAs, Sectigo policies and practices. Tim or I are happy to answer any further questions on-list or privately via email if required (nick@ and tim.callan@). Thanks, Nick On Wednesday, January 29, 2025 at 7:53:43 PM UTC Wayne wrote: I completely agree Jeremy, the lack of information in all the current press releases by both parties is disheartening. We have statements to customers and partners on the contractual terms being the same for the time being, but nothing on the leadership changes. The plan for the platform going forward is most concerning as its the most immediately impactful and each root store will have to make considerations for potential fresh inclusion of roots. We do have precedence for this historically, and it would be wise for any CA buying or selling to disclose in advance for public interest. The oversights in place aren't enough if a silent leadership change occurs that changes who controls the roots, and there is no clear intent for public disclosure. While I don't see Mozilla placing any specific policy in place regarding this, I believe it reflects on the transparency of each organization in question and their commitment to the WebPKI as an open and transparent process. I sincerely hope the drafts are already prepared and both Entrust and Sectigo's PR departments got ahead of the game on announcing the acquisition. What would a timely response to informing relevant parties of this entail? - Wayne On Wednesday, January 29, 2025 at 7:11:33 PM UTC Jeremy Rowley wrote: News of the acquisition is here: https://www.entrust.com/company/newsroom/entrust-sells-public-certificate-business-to-sectigo I am a bit disappointed that there was not a public announcement on the forum as was requested with other transactions. Will Sectigo be sharing the details of the acquisition? Specific questions that were asked during the Symantec acquisition included: 1) Will Entrust leadership be involved in Sectigo? This was a no-go during the Symantec acquisition and was specifically forbidden by Mozilla. 2) Was notice given to Mozilla? If so, why wasn't this shared with the public? Sectigo isn't publicly traded so I'm surprised the notification was missed. Granted this is not a written requirement - just notice to Mozilla - but given Mozilla's dedication to public discussion, I am very interested to know why this wasn't shared. 3) What are the plans for the platform? Note that during the Symantec transition, DigiCert was required to file a bug and track migration of customers off the legacy Symantec roots and systems (including the front-ends). Where is this plan disclosed? 4) Will Sectigo be filing a bug to provide community updates? This was required during the Symantec acquisition to keep the public informed on progress and issues found with the Symantec environment. If Entrust was distrusted partly because of how archaic its systems are, then there should be equal concern about Sectigo operating those systems without proper public communication. Glad to see Sectigo acquired the business, but I'm concerned that the processes Mozilla required of DigiCert during Symantec are not being addressed here.-- You received this message because you are subscribedto the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6af59737-bc8f-4484-a406-537a1009987bn%40mozilla.org <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6af59737-bc8f-4484-a406-537a1009987bn%40mozilla.org?utm_medium=email&utm_source=footer>.-- You received this message because you are subscribed to theGoogle Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/140feddb-9f09-4376-8ddd-a04015bc3007n%40mozilla.org <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/140feddb-9f09-4376-8ddd-a04015bc3007n%40mozilla.org?utm_medium=email&utm_source=footer>. --You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/eb2b6a5e-6dac-4e7f-ac02-682267e9912bn%40mozilla.org <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/eb2b6a5e-6dac-4e7f-ac02-682267e9912bn%40mozilla.org?utm_medium=email&utm_source=footer>.
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/29e9782a-4dc4-4d19-8645-279f63a17a7c%40it.auth.gr.
smime.p7s
Description: S/MIME Cryptographic Signature
