We have posted more updates here<http://www.symantec.com/connect/blogs/symantec-s-ca-will-continue-control-keys>, specifically regarding Symantec’s acquisition of Blue Coat. To be clear, Symantec always maintained control of the private key with regards to Blue Coat’s intermediate CA, which you can find more details about here<http://www.symantec.com/connect/blogs/symantec-protocol-keeps-private-keys-its-control>. As I mentioned previously, policies and governance will be established as a part of the integration process, which will begin after the acquisition closes in Q3. At that time, Symantec will ensure that the infrastructure and capabilities will continue to remain separate and independent from Blue Coat’s technology and products. We will make appropriate public disclosures of such policies and governance once they are established.
- Sanjay From: Eric Mill <[email protected]<mailto:[email protected]>> Date: Wednesday, June 15, 2016 at 7:44 AM To: Sanjay Modi <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Should we block Blue Coat's 'test' intermediate CA? On Wed, Jun 15, 2016 at 12:02 AM, <[email protected]<mailto:[email protected]>> wrote: The integrity of Symantec’s public certification authority will not be impacted as a result of the Blue Coat acquisition. Until the acquisition is complete, Symantec and Blue Coat will continue to operate as two separate companies. Once the transaction is complete, Symantec’s public CA infrastructure and capabilities will continue to remain separate and independent from Blue Coat’s technology and products. Thanks for the response, Sanjay. This is a pretty general statement, and doesn't definitively answer whether Blue Coat can be said to be "not in possession of the private key". From what you're saying, it sounds like they *will* enter into possession of the private key in at least a legal sense. Depending on how you implement the business separation, BC could be argued to be in possession of the private key in other senses too. Symantec should update its official statement to reflect this, so that the statement doesn't become inaccurate once the acquisition is complete. In addition, policies and governance will be established to ensure the public CA operations will not be used to facilitate packet inspection in the Blue Coat offerings that will become a part of Symantec’s portfolio. I hate to pepper you with questions, but this raises several: Will this mean technical controls that restrict issuance beyond what would otherwise have been allowed? Will Symantec publish those policies publicly? Will Symantec seek feedback from this community before finalizing them? -- Eric _______________________________________________ dev-security-policy mailing list [email protected]<mailto:[email protected]> https://lists.mozilla.org/listinfo/dev-security-policy -- konklone.com<https://konklone.com> | @konklone<https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
