On 08/03/17 03:54, Peter Kurrasch wrote: > - Google has acquired 2 root certificates from GMO GlobalSign but not > the company itself.
Yes. > GMO GlobalSign will continue to own other roots and > will use only those other roots for the various products and services > they choose to offer going forward. Not quite. GMO GlobalSign continues to control some subCAs of the roots it sold to Google, and is using those (presumably) to wind down its interest in those roots over time or support customer migrations to other roots. This happens to include issuing EV certificates. > There is no affiliation or business > relationship between GMO GlobalSign and Google after the completion of > the acquisition. We don't have information on this; the terms of the deal, and indeed any other deals the two companies may have made, are not public. > - No public announcement of the acquisition was made prior to January > 26, 2017 via the Google security blog. Depends what you mean by announcement, but they applied in a public bug for inclusion in the Mozilla root program in December: https://bugzilla.mozilla.org/show_bug.cgi?id=1325532 and, I think, announced their intention in a publicly-minuted meeting of the CAB Forum in Redmond in mid-October 2016. > - No disclosure has been made regarding what specific items were > acquired, including such things as: "private key material" (HSM's and > whatnot); computer equipment used as web servers, OCSP responders, etc.; > domain names, IP addresses, and other infrastructure used in the > operations and maintenance of the acquired roots; data such as > subscriber lists, databases, server logs, payment details and histories, > certificate issuance activities and histories, etc.; any access rights > to physical space such as offices, data centers, development and test > facilities, and so forth; and last, but not least, any personnel, > documentation, training materials, or other knowledge products. I have not seen such disclosure. > - The scope of impact to existing GlobalSign customers is not known. Well, as Globalsign continues to operate those subCAs, I would hope the impact on GlobalSign customers is minimal. > Neither GMO GlobalSign nor Google have notified any existing clients of > the acquisition. Unless we hear from such clients, we can't know this one way or the other. > - The GlobalSign web site has no mention of this acquisition for reasons > which are unknown. Why would this be a requirement by anyone? > Further, the web site does not make their CP/CPS > documents readily available Which website? The CP/CPS documents for which root(s)? The GTS CP and CPS are here: http://pki.goog/. > - A relying party who takes the initiative to review a certificate chain > that goes up to either of the acquired roots will see that it is > anchored (or "verified by") GlobalSign. No mention of Google will be > made anywhere in the user interface. I would expect there to be intermediate certificates with Google's name in; it's not permitted to issue EE certs directly from a root. However, neither GlobalSign's nor Google's name would appear in primary UI in Firefox, as we don't display CA names. > - Google has acquired these roots in order to better serve their > subscribers, which are organizations (not people) throughout the many > Google companies. That's a question for Google. > Relying parties (i.e. end users of the various Google > products) are not affected positively or negatively by this acquisition. That's a matter of opinion :-) > - Mozilla granted Google's request to keep the acquisition confidential > based on statements made by Google and Google's auditor E&Y. That implies a cause and effect which is not present in the way suggested. We require that changes of ownership be disclosed, but we don't require them to be made public. Google and GlobalSign disclosed this change of ownership in accordance with our requirements. We also expect to see various audits which meet our auditing requirements over any transition period; my understanding is that Kathleen was satisfied with the documentation she saw. However, the keeping confidential of the acquisition was not conditioned on the presentation of audit documentation. > Neither > GlobalSign nor their auditors offered any opinion on this matter. Would you expect them to? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy