I'm trying to keep score here but am having difficulties. Can someone 
confirm if the following statements are correct:<br/><br/>- Google has acquired 
2 root certificates from GMO GlobalSign but not the ‎company itself. GMO 
GlobalSign will continue to own other roots and will use only those other roots 
for the various products and services they choose to offer.<br/><br/>- No 
public announcement of the acquisition was made prior to January 26, 2017 via 
the Google security blog.<br/><br/>- No disclosure has been made regarding what 
specific items were acquired, including such things as: &quot;private key 
material&quot; (HSM&apos;s and whatnot); computer equipment used as web 
servers, OCSP responders, etc.; domain names, IP addresses, and other 
infrastructure used in the operations and maintenance of the acquired roots; 
data such as subscriber lists, server logs, payment details and histories, 
certificate issuance activities and histories, etc.; and any access rights to 
physical space such as offices, data centers, development and test facilities, 
and so forth.<br/><br/>- The scope of impact to existing GlobalSign customers 
is not known. Neither GMO GlobalSign nor Google have notified any existing 
clients of the acquisition.<br/><br/>- The GlobalSign web site has no mention 
of this acquisition for reasons which are unknown. Further, the web site does 
not make their CP/CPS documents readily available limiting the ability for 
current subscribers and relying parties to decide if continued use of a cert 
chaining up to these roots is acceptable for them.<br/><br/>- A relying party 
who actually takes the initiative to review a certificate chain will see that 
it is anchored (or &quot;verified by&quot;) GlobalSign. No mention of Google 
will be made anywhere.<br/><br/>- Google has acquired these roots in order to 
&quot;better serve&quot; their subscribers, which are organizations (not 
people) throughout the many Google companies. Relying parties are not affected 
positively or negatively by this acquisition. <br/><br/>- Mozilla granted 
Google&apos;s request to keep the acquisition confidential based on statements 
made by Google and Google&apos;s auditor E&amp;Y. GlobalSign nor their auditors 
offered any opinion on this matter.<br/><br/><br/>I&amp;apos;m trying to keep 
score here but am having difficulties. Can someone confirm if the following 
statements are correct:&lt;br/&gt;&lt;br/&gt;- Google has acquired 2 root 
certificates from GMO GlobalSign but not the ‎company itself. GMO GlobalSign 
will continue to own other roots and will use only those other roots for the 
various products and services they choose to offer.&lt;br/&gt;&lt;br/&gt;- No 
public announcement of the acquisition was made prior to January 26, 2017 via 
the Google security blog.&lt;br/&gt;&lt;br/&gt;- No disclosure has been made 
regarding what specific items were acquired, including such things as: 
&amp;quot;private key material&amp;quot; (HSM&amp;apos;s and whatnot); computer 
equipment used as web servers, OCSP responders, etc.; domain names, IP 
addresses, and other infrastructure used in the operations and maintenance of 
the acquired roots; data such as subscriber lists, server logs, payment details 
and histories, certificate issuance activities and histories, etc.; and any 
access rights to physical space such as offices, data centers, development and 
test facilities, and so forth.&lt;br/&gt;&lt;br/&gt;- The scope of impact to 
existing GlobalSign customers is not known. Neither GMO GlobalSign nor Google 
have notified any existing clients of the acquisition.&lt;br/&gt;&lt;br/&gt;- 
The GlobalSign web site has no mention of this acquisition for reasons which 
are unknown. Further, the web site does not make their CP/CPS documents readily 
available limiting the ability for current subscribers and relying parties to 
decide if continued use of a cert chaining up to these roots is acceptable for 
them.&lt;br/&gt;&lt;br/&gt;- A relying party who actually takes the initiative 
to review a certificate chain will see that it is anchored (or 
&amp;quot;verified by&amp;quot;) GlobalSign. No mention of Google will be made 
anywhere.&lt;br/&gt;&lt;br/&gt;- Google has acquired these roots in order to 
&amp;quot;better serve&amp;quot; their subscribers, which are organizations 
(not people) throughout the many Google companies. Relying parties are not 
affected positively or negatively by this acquisition. &lt;br/&gt;&lt;br/&gt;- 
Mozilla granted Google&amp;apos;s request to keep the acquisition confidential 
based on statements made by Google and Google&amp;apos;s auditor E&amp;amp;Y. 
GlobalSign nor their auditors offered any opinion on this 
matter.&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to