This is my second of three forks of this discussion on the transfer of 2 GlobalSign roots. This thread focuses on GMO GlobalSign because in my estimation they have put themselves in a precarious position that warrants public discussion. 

In previous comments I've made, I've expressed disapproval at the fact that there is no mention of the transfer on GlobalSign's website. I did not find it under News‎ and Events nor under the SSL sales pages nor under the Resources page. I also could find no information about the existence of different roots that GlobalSign has and their intended use cases.

The search result that Ryan H. mentions below is in fact a curious situation. A direct link to the CPS is listed, sure, but if you go to the ".../resources" page directly there is no mention of the CPS. I would assume that at some point a subscriber is required to accept the terms of the CPS and is then presented with an opportunity to obtain the actu‎al document, but what about the relying parties? Are relying parties allowed to obtain the document but only if they use a search engine to find it? Are we to expect that search engines will always and only return the correct version for the specific root in which I'm interested?

To be fair, I don't know that any of this constitutes a violation of any BR requirement or Mozilla policy--I assume not.‎ I also assume that GlobalSign is not the only offender in this regard. Still, I expect better than this from any root CA participant; surely a CA can give me something rather than leave me with nothing?

All that said, it is not even what causes me the most concern, which is the intermingling of the GlobalSign and ‎Google brands. Like it or not, there will always be questions like "Is this GlobalSign or is this Google?" and this creates a risk not only to GlobalSign but also the Internet community. (There is a risk to Google as well but I'll address that in a separate thread.)

The risk is a result of the confusion and uncertainty that are introduced by the transfer of these 2 roots.‎ Consider that right now I could launch a phishing campaign targeting GlobalSign subscribers with a message along the lines of "Did you know that GlobalSign has sold your certificate to Google? Click here to learn what you can do to protect your website." Should the person click on a link I might put the person on a fake login screen or a malware distribution point or engage in any other nefarious act of my choosing. For that matter I might try to sell the person my own certificate service: "Leave GlobalSign and Google behind! Protect the privacy of your website visitors and buy my service instead!"

The point here is that accuracy in my message is not needed. Instead, I can exploit the confusion and uncertainty (or, if you prefer, FUD) which can lead to damage to GlobalSign's reputation and possible loss of business. Conceivably this can also impact the global PKI if I'm able to gain unauthorized access to a subscriber's account and have certificates issued for my nefarious websites.

All of this to say that it actually is important that GlobalSign put messaging on their website and generally be proactive in limiting the chances for misinformation, confusion, and so forth to propagate across the Internet. 

The last thing I'll mention is that I have questions as to whether GlobalSign has violated either their own CPS or privacy policy when it comes to their subscribers‎. Admittedly I haven't had a chance to review either document so it's quite possible I'm misinformed and I hope someone will correct me as appropriate.

But the basic reasoning goes that there are some people who don't like Google and perhaps have chosen to use GlobalSign because they are not Google. Personally I think GlobalSign has an obligation to notify their subscribers with something to the effect that "after a certain date we will be sharing your payment information, certificate history, domain ownership, login activity to our Web portal, etc. with Google." However, if there are statements in either the doc that have been violated, that is a more serious issue.

The exact information being shared with (or is now available to) Google has not been publicly disclosed so I couldn't say for sure what should be communicated. Still, I imagine there are subscribers who would be surprised to learn that information they thought was constrained to just GlobalSign is no longer so. ‎I think it's only fair that subscribers (and relying parties) be offered a chance to opt-out even if it means subscribers leaving GlobalSign for some other vendor. I don't know that such an offering has been made?

‎I do hope that more can be publicly disclosed about what information is shared between GlobalSign and Google--including if the data sharing is related to only the 2 roots that were acquired or all GlobalSign roots.



From: Ryan Hurst via dev-security-policy
Sent: Wednesday, March 8, 2017 11:29 AM‎

Gerv has already responded and while his response is correct I have a little more detail I can share, see bellow.

> Peter Kurrash: I'm trying to keep score here but am having difficulties. Can someone confirm if
> the following statements are correct:

> - Google has acquired 2 root certificates from GMO GlobalSign but not the ‎company itself.

Correct, two root certificates and their keys were acquired.


> Peter Kurrash: GMO GlobalSign will continue to own other roots and will use only those other roots for
> the various products and services they choose to offer going forward. There is no affiliation or business
> relationship between GMO GlobalSign and Google after the completion of the acquisition.

Mostly correct, we do have a contractual obligation to GMO GlobalSign relative to the subordinate that exists under GlobalSign R2, that subordinate is owned and operated by GMO GlobalSign. The terms of this agreement require us to provide revocation services while they migrate their customers off. It also requires them to maintain their WebTrust accreditation.

I must also add that Google is large organization and may now, or in the future, have other agreements with GMO GlobalSign but I can say those agreements would likely be orthogonal to this transaction.


> Peter Kurrash:No public announcement of the acquisition was made prior to January 26, 2017
> via the Google security blog.

No, this is not correct, the first public announcement was at the CAB/Forum in mid October 2016 and the second was the Mozilla bug database on December 22nd, 2016.

> Peter Kurrash: No disclosure has been made regarding what specific items were acquired,
> including such things as: "private key material" (HSM's and whatnot); computer equipment used
> as web servers, OCSP responders, etc.; domain names, IP addresses, and other infrastructure
> used in the operations and maintenance of the acquired roots; data such as subscriber lists,
> databases, server logs, payment details and histories, certificate issuance activities and histories,
> etc.; any access rights to physical space such as offices, data centers, development and test
> facilities, and so forth; and last, but not least, any personnel, documentation, training materials,
> or other knowledge products. That is correct, we did not enumerate the items involved in the exchange.

The auditor's opinion letter covering the transfer is the most explicit public document covering the transfer.

I can say that the acquisition included the acquisition of the root key material and corresponding certificates. Additionally the transfer included tooling, documentation and training related to the aforementioned assets. The elements included were within the scope necessary to enable us to satisfy auditors of proper historical and future management of the associated keys.

For those who are interested I can also add we did not purchase the GMO GlobalSign HSMs, instead we purchased our own HSMs directly from the manufacturer. These HSMs were compatible with what were in use by GMO GlobalSign and we utilized the key migration capabilities of those devices to migrate those keys to our HSMs.

> Peter Kurrash: The scope of impact to existing GlobalSign customers is not known. Neither
> GMO GlobalSign nor Google have notified any existing clients of the acquisition.

I can not speak for GMO GlobalSign or what GMO GlobalSign has or has not told affected customers, that said I do know that they have updated their CP/CPS.

I can say that our key migration plan was chosen, in part, to provide GMO GlobalSign enough time to migrate affected customers to CAs operated under their other roots.

> Peter Kurrash: The GlobalSign web site has no mention of this acquisition for reasons which are
> unknown. Further, the web site does not make their CP/CPS documents readily available limiting the
> ability for current subscribers and relying parties to decide if continued use of a cert chaining up to > these roots is acceptable to them.

I can not speak for GMO GlobalSign or what GMO GlobalSign has or has not done, however a Google search of “GlobalSign CPS” has the first match of https://www.globalsign.com/en/repository/ which has their CP/CPS.

Additionally I am not aware of a requirement to do notification, I would only expect notification if it materially impacted them and I personally would argue that since GMO GlobalSign continues to operate many other roots as well as the related sub CA there is not a material impact.


> Peter Kurrash: A relying party who takes the initiative to review a certificate chain that goes up to either
> of the acquired roots will see that it is anchored (or "verified by") GlobalSign. No mention of Google will > be made anywhere in the user interface.

GMO GlobalSign continues to maintain an active WebTrust audit for the CA under R2. As the operator of the issuing CA, they are responsible for the verification of of the identity of the associated certificates. This includes those certificates they have historically issued as well as those they may issue in the future, given this, the above this statement is accurate.

Additionally it is also common for the name of the root not to match who is the current operator, for example in the 90s I created several roots for a company called ValiCert. Those roots have changed hands several times.

I can also say that the intent is for GMO GlobalSign to migrate existing customers off of this subordinate CA to one issued under one of their roots as soon as practical.


> Peter Kurrash: Google has acquired these roots in order to better serve their subscribers, which are
> organizations (not people) throughout the many Google companies. Relying parties (i.e. end users of
> the various Google products) are not affected positively or negatively by this acquisition.

Mostly true, though we have no product plans to disclose at this time we may, in the future issue certificates to people as well as to organizations outside of Google.


> Peter Kurrash: Mozilla granted Google's request to keep the acquisition confidential based on
> statements made by Google and Google's auditor E&Y. Neither GlobalSign nor their auditors offered
> any opinion on this matter.

Mostly true, both GMO GlobalSign and Google independently and together reached out to the respective root programs both before, during and after the transfer.

I can say the negotiation and execution of commercial contracts are commonly covered under nondisclosure agreements as are engagements with consultants and auditors. As such I would not expect in this, or in any other commercial negotiation for the parties involved to make public opinion statements about confidentiality.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to