On Monday, April 24, 2017 at 8:02:15 PM UTC-7, Peter Kurrasch wrote:
> I see what you're saying and there should be some consideration for that
> scenario. If the acquiring company will keep all the same infrastructure and
> staff and if decision making authority will remain with that staff, then I
> think it's reasonable to make that accommodation.
>
>
> Using a word like "all" could be going too far but at the moment I'm not sure
> how to strike a softer tone and still have something that is precise and
> enforceable.
>
Peter,
Sending this from my personal account (my work laptop isn't handy) so will
avoid discussions of anything related to GTS but I wanted to share my
perspective as someone who has done built a number of CAs as well as
participated in and led several transfers.
Your text seems to suggest that there is something inherently good about
keeping the current staff and infrastructure. My experience has been that is
not necessarily the case.
To be clear I understand your position, though I disagree, that being you see
there is a value in one organization having all the certificates that bear the
same brand. I don't wish to re-debate that with you I just wanted to provide
some examples of where partial transfers have provided the Internet at large
value.
The most recent example of this is DigiCert's acquisition of the Verizon
assets. In this case, the existing staff and business leadership demonstrated a
continual inability to in accordance with the requirements.
DigiCert stepped up to provide the needed adult supervision and paying for the
right to do so.
While it is true that in this case the keys were being acquired by a member of
a root program I think the most important things are that an organization with
the means, skills, and vested interest stepped up.
There have also been several (largely) non-public examples where organizations
with tons of means loss all interest and the keys were left in the hands of the
unqualified and uninterested audits don't show this.
Thankfully in both of these cases, I think largely the right thing happened. In
one case the sr. leadership at the business ultimately decided to destroy the
key material once they understood what it could be used for.
Of the possible outcomes, I guess it is fair to say that the outcome here was
not bad but I have spent a big chunk of my career trying to get the web
encrypted and honestly I wish those keys could have been used by a new entrant,
maybe Let's Encrypt to make SSL more ubiquitous. This last point material
because it took Let's Encrypt nearly two years to find someone to cross them.
There are also other cases where CAs were carved up and sold off in bits and
the only thing that remained was the keys, none of the staff or other
infrastructure was used. These keys also went to other CAs.
Anyway, I personally think Mozilla Root Program should be managed with a high
order goal of increasing the use of encryption on the web. Root sales and
transfers have been a big part of how we have gotten to over 50% of the web
being encrypted and I suspect it will continue to be important.
In short, I think it would be a shame if we precluded these transfers and
instead think it is best to focus on how to make sure the receiving
organization proves they can continue to meet the criteria, or like in the case
of DigiCert's acquisition, they have a plan to remedy the issues that have been
identified.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
