On Mon, Apr 24, 2017 at 9:42 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 25/04/2017 03:10, Peter Kurrasch wrote: > >> Fair enough. I propose the following for consideration: >> >> Prior to transferring ownership of a root cert contained in the trusted >> store (either on an individual root basis or as part of a company >> acquisition), a public attestation must be given as to the intended >> management of the root upon completion of the transfer. "Intention" must >> be one of the following: >> >> A) The purchaser has been in compliance with Mozilla policies for more >> than 12 months and will continue to administer (operate? manage?) the >> root in accordance with those policies. >> >> B) The purchaser has not been in compliance with Mozilla policies for >> more than 12 months but will do so before the transfer takes place. The >> purchaser will then continue to administer/operate/manage the root in >> accordance with Mozilla policies. >> >> How about: > > B2) The purchaser is not part of the Mozilla root program and has not > been so in the recent past, but intends to continue the program > membership held by the seller. The purchaser intends to complete > approval negotiations with the Mozilla root program before the transfer > takes place. The purchaser intends to retain most of the expertise, > personnel, equipment etc. involved in the operation of the CA, as will > be detailed during such negotiations. > > This, or some other wording, would be for a complete purchase of the > business rather than a merge into an existing CA, similar to what > happened when Symantec purchased Verisign's original CA business years > ago, or (on a much smaller scale) when Nets purchased the TDC's CA > business unit and renamed it as DanID. > Why is that desirable? If anything, such acquisitions seem to be more harmful than helpful to the CA ecosystem. That is, why _wouldn't_ a merge be useful/desirable? What problems are you attempting to solve? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
