On 10/03/2017 07:29, Ryan Hurst wrote:
On Thursday, March 9, 2017 at 9:00:21 PM UTC-8, Peter Kurrasch wrote:
By definition, a CPS is the authoritative document on what root
certificates a CA operates and how they go about that operation.  If the
GlobalSign CPS has been updated to reflect the loss of their 2 roots,
that's fine.  Nobody is questioning that.

What is being questioned is whether updating the GlobalSign CPS is
sufficient to address the needs, concerns, questions, or myriad other
issues that are likely to come up in the minds of GlobalSign subscribers
and relying parties--and, for that matter, Google's own subscribers and
relying parties.  To that, I think the answer must be: "no, it's not
enough".  Most people on the internet have never heard of a CPS and of
those who have, few will have ever read one and fewer still will have read
the GlobalSign CPS.

Again while I can not speak for GlobalSign I can say that there has been far
more public notice than a simple CP/CPS update.

In addition to the Google Blog post about the acquisition 
(https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.html),
 the purchase was picked up by many high profile technology news sources, some 
of which included:
-  https://www.theregister.co.uk/2017/01/27/google_root_ca/
-  
http://www.infoworld.com/article/3162102/security/google-moves-into-root-certificate-authority-business.html
- http://www.securityweek.com/google-launches-its-own-root-certificate-authority

Also this topic has been discussed at great length in numerous forums around 
the web.

This is above and beyond the public notification that is built into the various 
root programs such as:
The Google Trust Services CP/CPs lists GlobalSign as subordinates
The Google Trust Services website has a link to the GlobalSign CP/CPS as well 
as their audit reports.
The Mozilla bug on this topic discusses the change in ownership,
The Mozilla CA registry will also reference the change in ownership,
The Microsoft CA registry will also reference the change in ownership,
The Mozilla Salesforce instance will reference the change in ownership,
This public thread discusses the change in ownership.

I am not sure there is much more meaningful options of notification left.


Those are all point-in-time news items, not pages that purport to be up
to date information of the current status when they are visited.

Additionally as stated, EV badges will still correctly reflect that it is 
GlobalSign who issues the associated certificates, and not Google.

The only opportunity for confusion comes from those who look at the 
certificates themselves and missed all of the above notifications.

It is also important to note that this is a very common situation, to see how 
common it is visit the page Microsoft maintains for Root Program members - 
https://social.technet.microsoft.com/wiki/contents/articles/37425.microsoft-trusted-root-certificate-program-participants-as-of-march-9-2017.aspx

You will notice the first column is the name of the current owner and the 
second column is the name in the certificate.

A few you will notice are:

Amazon,   Starfield Services Root Certificate Authority - G2
Asseco Data Systems S.A. (previously Unizeto Certum), Certum CA
Entrust, Trend Micro 1
Entrust, Trend Micro 2
Entrust, Trend Micro 3
Entrust, Trend Micro 4  
Comodo, The USERTrust Network™
Comodo, USERTrust (Client Authentication / Secure Email)
Comodo, USERTrust (Code Signing)
Comodo, USERTrust RSA Certification Authority
Comodo, UTN-USERFirst-Hardware
Symantec / GeoTrust
Symantec / Thawte       
Symantec / VeriSign
Trustwave, XRamp Global Certification Authority

And more...


Of all these, Starfield seems to be the only case where a single CA
name now refers to two different current CA operators (GoDaddy and
Amazon).  All the others are cases of complete takeover.  None are
cases where the name in the certificate is a still operating CA
operator, but the root is actually operated by a different entity
entirely.

Also, I don't see Google on that list.

While I sincerely want to make sure there are no surprises, given how common it 
is for names in root certificates not to match the current owner, those who are 
looking at certificate chains should not be relying on the value in the root 
certificate in the first place wrong in very significant situations.

Ryan



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to