Hi Gerv,

Your updates look good! One small quibble: The bottom of the Physical Relocation section mentions the code signing trust bit, but I think that is irrelevant now?

Would you feel comfortable mandating that, whenever an organization notifies Mozilla about changes in ownership or operation, the organization must notify the public about any such changes? The idea here is transparency, and making sure that all parties (subscribers and relying parties alike) are made aware of the changes in case they wish to make changes of their own.

For whatever it's worth, I gave the Personnel Changes section a bit of thought and wondered if further articulation of "changes" might be helpful. The example that came to mind is GTS and GlobalSign--specifically, that Google would continue to use GlobalSign's infrastructure until a transition is made in the future. Presumably, a change in personnel will take place when Google switches to its own infrastructure, so should Mozilla be notified at that time? As written, I think the answer could be yes, but is that necessarily what you want?

(And, for the record, I'm not trying to rehash any past discussion of the acquisition. Rather, I thought it might be a good real-world example based on my understanding of events. If my facts are wrong, that hopefully will not nullify its value as a hypothetical example.)

If you prefer to leave the personnel section as-is, I have no issue with that.

From: Gervase Markham via dev-security-policy
Sent: Monday, May 1, 2017 4:02 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Reply To: Gervase Markham
Subject: Policy 2.5 Proposal: Incorporate Root Transfer Policy

Mozilla has a Root Transfer Policy which sets out our expectations
regarding how roots are transferred between organizations, or what
happens when one company buys another, based on a recognition that trust
is not always transferable.


It has been reasonably observed that it would be better if this policy
were part of our official policy rather than a separate wiki page.

So, I have attempted to take that wiki page, remove duplication and boil
it down into a set of requirements to add to the existing policy.

Here is a diff of the proposed changes:

This is: https://github.com/mozilla/pkipolicy/issues/57


This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.4.1 (current version):
Update process:
dev-security-policy mailing list

dev-security-policy mailing list

Reply via email to