| I see what you're saying and there should be some consideration for that scenario. If the acquiring company will keep all the same infrastructure and staff and if decision making authority will remain with that staff, then I think it's reasonable to make that accommodation. Using a word like "all" could be going too far but at the moment I'm not sure how to strike a softer tone and still have something that is precise and enforceable.
On 25/04/2017 03:10, Peter Kurrasch wrote:
> Fair enough. I propose the following for consideration: > > Prior to transferring ownership of a root cert contained in the trusted > store (either on an individual root basis or as part of a company > acquisition), a public attestation must be given as to the intended > management of the root upon completion of the transfer. "Intention" must > be one of the following: > > A) The purchaser has been in compliance with Mozilla policies for more > than 12 months and will continue to administer (operate? manage?) the > root in accordance with those policies. > > B) The purchaser has not been in compliance with Mozilla policies for > more than 12 months but will do so before the transfer takes place. The > purchaser will then continue to administer/operate/manage the root in > accordance with Mozilla policies. > How about: B2) The purchaser is not part of the Mozilla root program and has not been so in the recent past, but intends to continue the program membership held by the seller. The purchaser intends to complete approval negotiations with the Mozilla root program before the transfer takes place. The purchaser intends to retain most of the expertise, personnel, equipment etc. involved in the operation of the CA, as will be detailed during such negotiations. This, or some other wording, would be for a complete purchase of the business rather than a merge into an existing CA, similar to what happened when Symantec purchased Verisign's original CA business years ago, or (on a much smaller scale) when Nets purchased the TDC's CA business unit and renamed it as DanID. > C) The purchaser does not intend to operate the root in accordance with > Mozilla policies. Mozilla should remove trust from the root upon > completion of the transfer. | ||
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
