On 25/04/2017 03:10, Peter Kurrasch wrote:
Fair enough. I propose the following for consideration:

Prior to ‎transferring ownership of a root cert contained in the trusted
store (either on an individual root basis or as part of a company
acquisition), a public attestation must be given as to the intended
management of the root upon completion of the transfer. "Intention" must
be one of the following:

A) The purchaser has been in compliance with Mozilla policies for more
than 12 months and will continue to administer (operate? manage?) the
root in accordance with those policies.

B) The purchaser has not been in compliance with Mozilla policies for
more than 12 months but will ‎do so before the transfer takes place. The
purchaser will then continue to administer/operate/manage the root in
accordance with Mozilla policies.

How about:

B2) The purchaser is not part of the Mozilla root program and has not
been so in the recent past, but intends to continue the program
membership held by the seller.  The purchaser intends to complete
approval negotiations with the Mozilla root program before the transfer
takes place. The purchaser intends to retain most of the expertise, personnel, equipment etc. involved in the operation of the CA, as will
be detailed during such negotiations.

This, or some other wording, would be for a complete purchase of the
business rather than a merge into an existing CA, similar to what
happened when Symantec purchased Verisign's original CA business years
ago, or (on a much smaller scale) when Nets purchased the TDC's CA
business unit and renamed it as DanID.

C) The purchaser does not intend to operate the root in accordance with
Mozilla policies. Mozilla should remove trust from the root upon
completion of the transfer.

The wording of the above needs some polish and perhaps clarification.
The idea is that the purchaser must be able to demonstrate some level of
competence at running a CA--perhaps by first cutting their teeth as a
sub-CA? If a organization is "on probation" with Mozilla, I don't think
it makes sense to let them assume more control or responsibility for
cert issuance so there should be a mechanism to limit that.

I also think we should allow for the possibility that someone may
legitimately want to remove a cert from the Mozilla program. Given the
disruption that such a move can cause, it is much better to learn that
up front so that appropriate plans can be made.

*From: *Gervase Markham via dev-security-policy
*Sent: *Tuesday, April 11, 2017 11:36 AM
*To: *mozilla-dev-security-pol...@lists.mozilla.org
*Reply To: *Gervase Markham
*Subject: *Re: Criticism of Google Re: Google Trust Services roots

On 11/04/17 14:05, Peter Kurrasch wrote:
Is there room to expand Mozilla policy in regards to ownership issues?

Subject to available time (which, as you might guess by the traffic in
this group, there's not a lot of right now, given that this is not my
only job) there's always room to reconsider policy. But what we need is
a clearly-stated and compelling case that changing the way we think
about these things would have significant and realisable benefits, and
that any downsides are fairly enumerated and balanced against those gains.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to