Re: Sectigo to Be Acquired by GI Partners

2020-10-15 Thread Jakob Bohm via dev-security-policy 

On 2020-10-15 16:46, Rob Stradling wrote:

Hi Jacob.  I don't believe that this list mandates any particular posting style 
[https://en.wikipedia.org/wiki/Posting_style].

Although interleaved/inline posting is my preferred style, I'm stuck using 
Outlook365 as my mail client these days.  (Sadly, Thunderbird's usability 
worsened dramatically for me after Sectigo moved corporate email to Office365 a 
few years ago).  So this is the situation I find myself in...

"This widespread policy in business communication made bottom and inline posting so 
unknown among most users that some of the most popular email programs no longer support 
the traditional posting style. For example, Microsoft Outlook, AOL, and Yahoo! make it 
difficult or impossible to indicate which part of a message is the quoted original or do 
not let users insert comments between parts of the original."
[https://en.wikipedia.org/wiki/Posting_style#Quoting_support_in_popular_mail_clients]



I realized that the problem was caused by broken client software, and
was pointing out than in this case, it had led to a specific lack of
clarity and was asking for clarification of what meaning was intended.




From: dev-security-policy  on behalf 
of Jakob Bohm via dev-security-policy 
Sent: 12 October 2020 22:41
To: mozilla-dev-security-pol...@lists.mozilla.org 

Subject: Re: Sectigo to Be Acquired by GI Partners

Hi Rob,

The e-mail you quote below seems to be inadvertently "confirming" some
suspicions that someone else posed as questions. I think the group as a
whole would love to have actual specific answers to those original
questions.

Remember to always add an extra layer of ">" indents for each level of
message quoting, so as to not misattribute text.

On 2020-10-12 10:43, Rob Stradling wrote:

Hi Ryan.  Tim Callan posted a reply to your questions last week, but his 
message has not yet appeared on the list.  Is it stuck in a moderation queue?


From: dev-security-policy  on behalf 
of Ryan Sleevi via dev-security-policy 
Sent: 03 October 2020 22:16
To: Ben Wilson 
Cc: mozilla-dev-security-policy 
Subject: Re: Sectigo to Be Acquired by GI Partners


In a recent incident report [1], a representative of Sectigo noted:

The carve out from Comodo Group was a tough time for us. We had twenty

years’ worth of completely intertwined systems that had to be disentangled
ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of
employees that numbered well under half of what we needed to operate in any
reasonable fashion.



This referred to the previous split [2] of the Comodo CA business from the
rest of Comodo businesses, and rebranding as Sectigo.

In addition to the questions posted by Wayne, I think it'd be useful to
confirm:

1. Is it expected that there will be similar system and/or infrastructure
migrations as part of this? Sectigo's foresight of "no effect on its
operations" leaves it a bit ambiguous whether this is meant as "practical"
effect (e.g. requiring a change of CP/CS or effective policies) or whether
this is meant as no "operational" impact (e.g. things will change, but
there's no disruption anticipated). It'd be useful to frame this response
in terms of any anticipated changes at all (from mundane, like updating the
logos on the website, to significant, such as any procedure/equipment
changes), rather than observed effects.

2. Is there a risk that such an acquisition might further reduce the crew
of employees to an even smaller number? Perhaps not immediately, but over
time, say the next two years, such as "eliminating redundancies" or
"streamlining operations"? I recognize that there's an opportunity such an
acquisition might allow for greater investment and/or scale, and so don't
want to presume the negative, but it would be good to get a clear
commitment as to that, similar to other acquisitions in the past (e.g.
Symantec CA operations by DigiCert)

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21
[2]
https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ

On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


   As announced previously by Rob Stradling, there is an agreement for
private investment firm GI Partners, out of San Francisco, CA, to acquire
Sectigo. Press release:
https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners
.


I am treating this as a change of legal ownership covered by section 8.1
<
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership



of the Mozilla Root Store Policy, which states:


If the receiving or acquiring company is new to the Mozilla root program,
it must demonstrate compliance with the entirety of this policy and there
MUST be a public discussion regarding their admittance to the root

program,

which Mozilla must resolve with a

Re: PEM of root certs in Mozilla's root store

2020-10-15 Thread Jakob Bohm via dev-security-policy 

On 2020-10-15 11:57, Ryan Sleevi wrote:

On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


For example, embedded new lines are discussed in 2.6 and the ABNF

therein.




The one difference from RFC4180 is that CR and LF are not part of the
alternatives for the inner part of "escaped".



Again, it would do a lot of benefit for everyone if you would be more
precise here.

For example, it seems clear and unambiguous that what you just stated is
factually wrong, because:

escaped = DQUOTE *(TEXTDATA / COMMA / CR / LF / 2DQUOTE) DQUOTE



I was stating the *difference* from RFC4180 being precisely that
"simple, traditional CSV" doesn't accept the CR and LF alternatives in
that syntax production.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

2020-10-15 Thread Ben Wilson via dev-security-policy 
This issue #153, listed here:
https://github.com/mozilla/pkipolicy/issues/153, is proposed for resolution
with version 2.7.1 of the Mozilla Root Store Policy. It is related to Issue
139  (audits required even
if not issuing).

The first paragraph of section 3.1.3 of the MRSP would read:

Full-surveillance period-of-time audits MUST be conducted and updated audit
information provided no less frequently than *annually* from the time of CA
key pair generation until the CA certificate is no longer trusted by
Mozilla's root store or until all copies of the CA private key have been
completely destroyed, as evidenced by a Qualified Auditor's key destruction
report, whichever occurs sooner. Successive period-of-time audits MUST be
contiguous (no gaps).
Item 5 in the fifth paragraph of section 7.1 of the MRSP (new root
inclusions) would read:

5. an auditor-witnessed root key generation ceremony report and contiguous
period-of-time audit reports performed thereafter no less frequently than
annually;

The proposed language can be examined further in the following commits:

https://github.com/BenWilson-Mozilla/pkipolicy/commit/0d72d9be5acca17ada34cf7e380741e27ee84e55

https://github.com/BenWilson-Mozilla/pkipolicy/commit/888dc139d196b02707d228583ac20564ddb27b35

Or here:
https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.7.1/rootstore/policy.md

Thanks in advance for your comments,

Ben
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

2020-10-15 Thread Ben Wilson via dev-security-policy 
 This issue is presented for resolution in the next version of the Mozilla
Root Store Policy. It is related to Issue #147
 (previously posted for
discussion on this list on 6-Oct-2020).

Possible language is presented here:
https://github.com/BenWilson-Mozilla/pkipolicy/commit/c1acc76ad9f05038dc82281532fb215d71d537d4

In addition to replacing "if issuing EV certificates" with "if capable of
issuing EV certificates" in two places -- for WebTrust and ETSI audits --
it would be followed by "(i.e. a subordinate CA under an EV-enabled root
that contains no EKU or the id-kp-serverAuth EKU or anyExtendedKeyUsage
EKU, and a certificatePolicies extension that asserts the CABF EV OID of
2.23.140.1.1, the anyPolicy OID, or the CA's EV policy OID)." Thus, Mozilla
considers that a CA is capable of issuing EV certificates if it is (1) a
subordinate CA (2) under an EV-enabled root (3) that contains no EKU or the
id-kp-serverAuth EKU or anyExtendedKeyUsage EKU, and (4) a
certificatePolicies extension that asserts the CABF EV OID of 2.23.140.1.1,
the anyPolicy OID, or the CA's EV policy OID.

I look forward to your suggestions.

Thanks,

Ben
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Sectigo to Be Acquired by GI Partners

2020-10-15 Thread Rob Stradling via dev-security-policy 
Hi Jacob.  I don't believe that this list mandates any particular posting style 
[https://en.wikipedia.org/wiki/Posting_style].

Although interleaved/inline posting is my preferred style, I'm stuck using 
Outlook365 as my mail client these days.  (Sadly, Thunderbird's usability 
worsened dramatically for me after Sectigo moved corporate email to Office365 a 
few years ago).  So this is the situation I find myself in...

"This widespread policy in business communication made bottom and inline 
posting so unknown among most users that some of the most popular email 
programs no longer support the traditional posting style. For example, 
Microsoft Outlook, AOL, and Yahoo! make it difficult or impossible to indicate 
which part of a message is the quoted original or do not let users insert 
comments between parts of the original."
[https://en.wikipedia.org/wiki/Posting_style#Quoting_support_in_popular_mail_clients]


From: dev-security-policy  on 
behalf of Jakob Bohm via dev-security-policy 

Sent: 12 October 2020 22:41
To: mozilla-dev-security-pol...@lists.mozilla.org 

Subject: Re: Sectigo to Be Acquired by GI Partners

Hi Rob,

The e-mail you quote below seems to be inadvertently "confirming" some
suspicions that someone else posed as questions. I think the group as a
whole would love to have actual specific answers to those original
questions.

Remember to always add an extra layer of ">" indents for each level of
message quoting, so as to not misattribute text.

On 2020-10-12 10:43, Rob Stradling wrote:
> Hi Ryan.  Tim Callan posted a reply to your questions last week, but his 
> message has not yet appeared on the list.  Is it stuck in a moderation queue?
>
> 
> From: dev-security-policy  on 
> behalf of Ryan Sleevi via dev-security-policy 
> 
> Sent: 03 October 2020 22:16
> To: Ben Wilson 
> Cc: mozilla-dev-security-policy 
> 
> Subject: Re: Sectigo to Be Acquired by GI Partners
>
>
> In a recent incident report [1], a representative of Sectigo noted:
>
> The carve out from Comodo Group was a tough time for us. We had twenty
>> years’ worth of completely intertwined systems that had to be disentangled
>> ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of
>> employees that numbered well under half of what we needed to operate in any
>> reasonable fashion.
>
>
> This referred to the previous split [2] of the Comodo CA business from the
> rest of Comodo businesses, and rebranding as Sectigo.
>
> In addition to the questions posted by Wayne, I think it'd be useful to
> confirm:
>
> 1. Is it expected that there will be similar system and/or infrastructure
> migrations as part of this? Sectigo's foresight of "no effect on its
> operations" leaves it a bit ambiguous whether this is meant as "practical"
> effect (e.g. requiring a change of CP/CS or effective policies) or whether
> this is meant as no "operational" impact (e.g. things will change, but
> there's no disruption anticipated). It'd be useful to frame this response
> in terms of any anticipated changes at all (from mundane, like updating the
> logos on the website, to significant, such as any procedure/equipment
> changes), rather than observed effects.
>
> 2. Is there a risk that such an acquisition might further reduce the crew
> of employees to an even smaller number? Perhaps not immediately, but over
> time, say the next two years, such as "eliminating redundancies" or
> "streamlining operations"? I recognize that there's an opportunity such an
> acquisition might allow for greater investment and/or scale, and so don't
> want to presume the negative, but it would be good to get a clear
> commitment as to that, similar to other acquisitions in the past (e.g.
> Symantec CA operations by DigiCert)
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21
> [2]
> https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ
>
> On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>>   As announced previously by Rob Stradling, there is an agreement for
>> private investment firm GI Partners, out of San Francisco, CA, to acquire
>> Sectigo. Press release:
>> https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners
>> .
>>
>>
>> I am treating this as a change of legal ownership covered by section 8.1
>> <
>> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership
>>>
>> of the Mozilla Root Store Policy, which states:
>>
>>> If the receiving or acquiring company is new to the Mozilla root program,
>>> it must demonstrate compliance with the entirety of this policy and there
>>> MUST be a public discussion regarding their admittance to the root
>> program,
>>> which Mozilla must resolve with a positive conclusion in order for the
>>> affected certificate(s) to remain in the root program.
>>
>> In

Re: Sectigo to Be Acquired by GI Partners

2020-10-15 Thread Tim Callan via dev-security-policy 
On Monday, October 12, 2020 at 6:28:06 PM UTC-4, Matt Palmer wrote:
Matt,
 
We can accurately remove the word meaningful from the earlier statement:  We 
anticipate no changes required to policies, operations, or personnel.  If any 
changes do occur in the future, we will of course update our CPS and inform the 
community.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: PEM of root certs in Mozilla's root store

2020-10-15 Thread Ryan Sleevi via dev-security-policy 
On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> > For example, embedded new lines are discussed in 2.6 and the ABNF
> therein.
> >
>
> The one difference from RFC4180 is that CR and LF are not part of the
> alternatives for the inner part of "escaped".


Again, it would do a lot of benefit for everyone if you would be more
precise here.

For example, it seems clear and unambiguous that what you just stated is
factually wrong, because:

escaped = DQUOTE *(TEXTDATA / COMMA / CR / LF / 2DQUOTE) DQUOTE
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy