On 08/03/17 03:54, Peter Kurrasch wrote:
> - Google has acquired 2 root certificates from GMO GlobalSign but not
> the ‎company itself. 

Yes.

> GMO GlobalSign will continue to own other roots and
> will use only those other roots for the various products and services
> they choose to offer going forward. 

Not quite. GMO GlobalSign continues to control some subCAs of the roots
it sold to Google, and is using those (presumably) to wind down its
interest in those roots over time or support customer migrations to
other roots. This happens to include issuing EV certificates.

> There is no affiliation or business
> relationship between GMO GlobalSign and Google after the completion of
> the acquisition.

We don't have information on this; the terms of the deal, and indeed any
other deals the two companies may have made, are not public.

> - No public announcement of the acquisition was made prior to January
> 26, 2017 via the Google security blog.

Depends what you mean by announcement, but they applied in a public bug
for inclusion in the Mozilla root program in December:
https://bugzilla.mozilla.org/show_bug.cgi?id=1325532
and, I think, announced their intention in a publicly-minuted meeting of
the CAB Forum in Redmond in mid-October 2016.

> - No disclosure has been made regarding what specific items were
> acquired, including such things as: "private key material" (HSM's and
> whatnot); computer equipment used as web servers, OCSP responders, etc.;
> domain names, IP addresses, and other infrastructure used in the
> operations and maintenance of the acquired roots; data such as
> subscriber lists, databases, server logs, payment details and histories,
> certificate issuance activities and histories, etc.; any access rights
> to physical space such as offices, data centers, development and test
> facilities, and so forth; and last, but not least, any personnel,
> documentation, training materials, or other knowledge products.

I have not seen such disclosure.

> - The scope of impact to existing GlobalSign customers is not known.

Well, as Globalsign continues to operate those subCAs, I would hope the
impact on GlobalSign customers is minimal.

> Neither GMO GlobalSign nor Google have notified any existing clients of
> the acquisition.

Unless we hear from such clients, we can't know this one way or the other.

> - The GlobalSign web site has no mention of this acquisition for reasons
> which are unknown. 

Why would this be a requirement by anyone?

> Further, the web site does not make their CP/CPS
> documents readily available 

Which website? The CP/CPS documents for which root(s)?

The GTS CP and CPS are here: http://pki.goog/.

> - A relying party who takes the initiative to review a certificate chain
> that goes up to either of the acquired roots will see that it is
> anchored (or "verified by") GlobalSign. No mention of Google will be
> made anywhere in the user interface.

I would expect there to be intermediate certificates with Google's name
in; it's not permitted to issue EE certs directly from a root. However,
neither GlobalSign's nor Google's name would appear in primary UI in
Firefox, as we don't display CA names.

> - Google has acquired these roots in order to better serve their
> subscribers, which are organizations (not people) throughout the many
> Google companies. 

That's a question for Google.

> Relying parties (i.e. end users of the various Google
> products) are not affected positively or negatively by this acquisition.

That's a matter of opinion :-)

> - Mozilla granted Google's request to keep the acquisition confidential
> based on statements made by Google and Google's auditor E&Y. 

That implies a cause and effect which is not present in the way
suggested. We require that changes of ownership be disclosed, but we
don't require them to be made public. Google and GlobalSign disclosed
this change of ownership in accordance with our requirements. We also
expect to see various audits which meet our auditing requirements over
any transition period; my understanding is that Kathleen was satisfied
with the documentation she saw. However, the keeping confidential of the
acquisition was not conditioned on the presentation of audit documentation.

> Neither
> GlobalSign nor their auditors offered any opinion on this matter.

Would you expect them to?

Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to