On Thursday, March 9, 2017 at 9:00:21 PM UTC-8, Peter Kurrasch wrote: > By definition, a CPS is the authoritative document on what root > certificates a CA operates and how they go about that operation. If the > GlobalSign CPS has been updated to reflect the loss of their 2 roots, > that's fine. Nobody is questioning that. > > What is being questioned is whether updating the GlobalSign CPS is > sufficient to address the needs, concerns, questions, or myriad other > issues that are likely to come up in the minds of GlobalSign subscribers > and relying parties--and, for that matter, Google's own subscribers and > relying parties. To that, I think the answer must be: "no, it's not > enough". Most people on the internet have never heard of a CPS and of > those who have, few will have ever read one and fewer still will have read > the GlobalSign CPS.
Again while I can not speak for GlobalSign I can say that there has been far more public notice than a simple CP/CPS update. In addition to the Google Blog post about the acquisition (https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.html), the purchase was picked up by many high profile technology news sources, some of which included: - https://www.theregister.co.uk/2017/01/27/google_root_ca/ - http://www.infoworld.com/article/3162102/security/google-moves-into-root-certificate-authority-business.html - http://www.securityweek.com/google-launches-its-own-root-certificate-authority Also this topic has been discussed at great length in numerous forums around the web. This is above and beyond the public notification that is built into the various root programs such as: > The Google Trust Services CP/CPs lists GlobalSign as subordinates > The Google Trust Services website has a link to the GlobalSign CP/CPS as well > as their audit reports. > The Mozilla bug on this topic discusses the change in ownership, > The Mozilla CA registry will also reference the change in ownership, > The Microsoft CA registry will also reference the change in ownership, > The Mozilla Salesforce instance will reference the change in ownership, > This public thread discusses the change in ownership. I am not sure there is much more meaningful options of notification left. Additionally as stated, EV badges will still correctly reflect that it is GlobalSign who issues the associated certificates, and not Google. The only opportunity for confusion comes from those who look at the certificates themselves and missed all of the above notifications. It is also important to note that this is a very common situation, to see how common it is visit the page Microsoft maintains for Root Program members - https://social.technet.microsoft.com/wiki/contents/articles/37425.microsoft-trusted-root-certificate-program-participants-as-of-march-9-2017.aspx You will notice the first column is the name of the current owner and the second column is the name in the certificate. A few you will notice are: Amazon, Starfield Services Root Certificate Authority - G2 Asseco Data Systems S.A. (previously Unizeto Certum), Certum CA Entrust, Trend Micro 1 Entrust, Trend Micro 2 Entrust, Trend Micro 3 Entrust, Trend Micro 4 Comodo, The USERTrust Network™ Comodo, USERTrust (Client Authentication / Secure Email) Comodo, USERTrust (Code Signing) Comodo, USERTrust RSA Certification Authority Comodo, UTN-USERFirst-Hardware Symantec / GeoTrust Symantec / Thawte Symantec / VeriSign Trustwave, XRamp Global Certification Authority And more... While I sincerely want to make sure there are no surprises, given how common it is for names in root certificates not to match the current owner, those who are looking at certificate chains should not be relying on the value in the root certificate in the first place wrong in very significant situations. Ryan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
