I'm trying to keep score here but am having difficulties. Can someone confirm if the following statements are correct:<br/><br/>- Google has acquired 2 root certificates from GMO GlobalSign but not the company itself. GMO GlobalSign will continue to own other roots and will use only those other roots for the various products and services they choose to offer.<br/><br/>- No public announcement of the acquisition was made prior to January 26, 2017 via the Google security blog.<br/><br/>- No disclosure has been made regarding what specific items were acquired, including such things as: "private key material" (HSM's and whatnot); computer equipment used as web servers, OCSP responders, etc.; domain names, IP addresses, and other infrastructure used in the operations and maintenance of the acquired roots; data such as subscriber lists, server logs, payment details and histories, certificate issuance activities and histories, etc.; and any access rights to physical space such as offices, data centers, development and test facilities, and so forth.<br/><br/>- The scope of impact to existing GlobalSign customers is not known. Neither GMO GlobalSign nor Google have notified any existing clients of the acquisition.<br/><br/>- The GlobalSign web site has no mention of this acquisition for reasons which are unknown. Further, the web site does not make their CP/CPS documents readily available limiting the ability for current subscribers and relying parties to decide if continued use of a cert chaining up to these roots is acceptable for them.<br/><br/>- A relying party who actually takes the initiative to review a certificate chain will see that it is anchored (or "verified by") GlobalSign. No mention of Google will be made anywhere.<br/><br/>- Google has acquired these roots in order to "better serve" their subscribers, which are organizations (not people) throughout the many Google companies. Relying parties are not affected positively or negatively by this acquisition. <br/><br/>- Mozilla granted Google's request to keep the acquisition confidential based on statements made by Google and Google's auditor E&Y. GlobalSign nor their auditors offered any opinion on this matter.<br/><br/><br/>I&apos;m trying to keep score here but am having difficulties. Can someone confirm if the following statements are correct:<br/><br/>- Google has acquired 2 root certificates from GMO GlobalSign but not the company itself. GMO GlobalSign will continue to own other roots and will use only those other roots for the various products and services they choose to offer.<br/><br/>- No public announcement of the acquisition was made prior to January 26, 2017 via the Google security blog.<br/><br/>- No disclosure has been made regarding what specific items were acquired, including such things as: &quot;private key material&quot; (HSM&apos;s and whatnot); computer equipment used as web servers, OCSP responders, etc.; domain names, IP addresses, and other infrastructure used in the operations and maintenance of the acquired roots; data such as subscriber lists, server logs, payment details and histories, certificate issuance activities and histories, etc.; and any access rights to physical space such as offices, data centers, development and test facilities, and so forth.<br/><br/>- The scope of impact to existing GlobalSign customers is not known. Neither GMO GlobalSign nor Google have notified any existing clients of the acquisition.<br/><br/>- The GlobalSign web site has no mention of this acquisition for reasons which are unknown. Further, the web site does not make their CP/CPS documents readily available limiting the ability for current subscribers and relying parties to decide if continued use of a cert chaining up to these roots is acceptable for them.<br/><br/>- A relying party who actually takes the initiative to review a certificate chain will see that it is anchored (or &quot;verified by&quot;) GlobalSign. No mention of Google will be made anywhere.<br/><br/>- Google has acquired these roots in order to &quot;better serve&quot; their subscribers, which are organizations (not people) throughout the many Google companies. Relying parties are not affected positively or negatively by this acquisition. <br/><br/>- Mozilla granted Google&apos;s request to keep the acquisition confidential based on statements made by Google and Google&apos;s auditor E&amp;Y. GlobalSign nor their auditors offered any opinion on this matter.<br/><br/><br/> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Google Trust Services roots
Peter Kurrasch via dev-security-policy Tue, 07 Mar 2017 19:36:07 -0800
- Google Trust Services roots Peter Bowen
- Re: Google Trust Services roo... Gervase Markham
- Re: Google Trust Services... Ryan Hurst via dev-security-policy
- Re: Google Trust Services roo... Ryan Hurst via dev-security-policy
- Re: Google Trust Services... Peter Bowen via dev-security-policy
- Re: Google Trust Serv... Ryan Hurst via dev-security-policy
- Re: Google Trust ... Ryan Hurst via dev-security-policy
- Re: Google Trust ... Peter Bowen via dev-security-policy
- Re: Google T... Ryan Hurst via dev-security-policy
- Re: Google T... Jakob Bohm via dev-security-policy
- Re: Google T... Peter Kurrasch via dev-security-policy
- Re: Goog... Peter Kurrasch via dev-security-policy
- Re: Goog... Gervase Markham via dev-security-policy
- Re: Goog... Jakob Bohm via dev-security-policy
- Re: Goog... Ryan Hurst via dev-security-policy
- Crit... Peter Kurrasch via dev-security-policy
- Re: Goog... Ryan Hurst via dev-security-policy