On 02/05/17 03:10, Peter Kurrasch wrote:
> Your updates look good! One small quibble: The bottom of the Physical
> Relocation section mentions the code signing trust bit, but I think that
> is irrelevant now?

I see that on https://wiki.mozilla.org/CA:RootTransferPolicy , but
that's the document we are superceding. Can you see that on the new doc?
I can't...

> Would you feel comfortable mandating that, whenever an organization
> notifies Mozilla about changes in ownership or operation, the
> organization must notify the public about any such changes? The idea
> here is transparency, and making sure that all parties (subscribers and
> relying parties alike) are made aware of the changes in case they wish
> to make changes of their own.

No, I would not be comfortable with that. I think that, as long as
security is not impacted (and if issuance is suspended, or continuing
under the old arrangements, it is not) it is fine for company deals to
remain confidential until they close. Once there is an actual change of
control and issuance restarts, clearly by that point the public must be
informed. But that is covered, for new root program entrants at least,
by the requirement that new orgs be vetted in m.d.s.p.

Do you think we should have a "public notification before issuance
(re-)begins" requirement even if e.g. existing CA B buys a root from
existing CA A?

> For whatever it's worth, I gave the Personnel Changes section a bit of
> thought and wondered if further articulation of "changes" might be
> helpful. The example that came to mind is GTS and
> GlobalSign--specifically, that Google would continue to use GlobalSign's
> infrastructure until a transition is made in the future. Presumably, a
> change in personnel will take place when Google switches to its own
> infrastructure, so should Mozilla be notified at that time? As written,
> I think the answer could be yes, but is that necessarily what you want?

What different might we want? :-)

dev-security-policy mailing list

Reply via email to