On 06/04/17 03:24, Peter Kurrasch wrote: > things they like. It's a very lucrative business so when I see a root > cert coming up for sale it's a no-brainer for me to go out and purchase > it. Having access to a root will undoubtedly come in handy as I grow my > business.
The previous owner of the root cert, certainly if they have other roots and even if they don't, has an obligation to notify us of the sale. Until they do, they remain responsible for it, and whatever Easy Pete does with it. So I expect us to find out about the sale. > Once I take possession of the root cert's private key and related > assets, what will limit the bad actions that I intend to take? If you start issuing certs without the relevant paperwork in place, you'll be out of the root programs in the next security update, and you'll have spent a lot of money on a worthless asset. > And it's true that I may be prohibited from issuing certs per Mozilla > policy, but that actually is a bit of a squishy statement. For example, > I'll still need to reissue certs to the existing customers as their > certs expire or if they need rekeying. Er, no. No issuance is permitted. If you need to issue immediately, then you need to make sure the paperwork is in place and Mozilla is happy before possession is transferred. Then you can have near-uninterrupted service. > Leaving behind this land of hypotheticals, it seems to me the policy as > written is weaker than it ought to be. My own opinion is that only a > member CA should be allowed to purchase a root cert (and assets), > regardless if it's only one cert or the whole company. As noted in previous emails, I see membership as a consequence of owning an included root, rather than a separate thing. Clearly there are grey areas on joining and leaving, but it doesn't make sense to me for a company to be a member of the program if they don't own a root. > If that's going > too far, I think details are needed for what "regular business > operations" are allowed during the period between acquisition of the > root and acceptance into the Mozilla root program. None. The root transfer policy is very clear: "No issuance whatsoever is permitted from a root certificate which has changed ownership by being sold by one company to another (as opposed to by acquisition of the owning company) until the receiving company has demonstrated to Mozilla that they have all the appropriate audits, CP/CPS documents and other systems in place. In addition, if the receiving company is new to the Mozilla root program, there must also be a public discussion regarding their admittance to the root program." https://wiki.mozilla.org/CA:RootTransferPolicy A wise company would do this all in advance of taking possession if they wanted to issue immediately upon acquisition. In the GS/GTS case, GS kept a sub-CA and kept issuing from it under their own paperwork for customer continuity, which was fine. Gerv _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy