[ Also at https://blog.mozilla.org/security/2017/10/31/statement-digicerts-proposed-purchase-symantec/ ]
Mozilla’s Root Store Program has taken the position that trust is not automatically transferable between organizations. This is specifically stated in section 8 of our Root Store Policy v2.5[0], which details how Mozilla handles transfers of root certificates between organizations. Mozilla has taken an interest in such transfers, and there is the potential for trust adjustments based on the particular circumstances. The CA DigiCert has announced that it is in negotiations to acquire the CA business of Symantec[1]. This announcement was made following the decision of Mozilla and other root store programs to phase out trust in Symantec’s root certificates[2], based on a detailed investigation[3] of their old and large CA hierarchies and their behaviour and practices over the past few years. There are no plans to change this phase-out of trust in the roots owned by Symantec. While Mozilla does not intend to micro-manage any CA, the final arrangements for management and processes and infrastructure to be used by the combined company is of interest and potential concern to us. It would not be appropriate for a CA to escape root program sanction by restructuring, or by purchasing another CA through M&A and continuing operations under that CA’s name, essentially unchanged. And examination of historical corporate merger and acquisition activity, including deals involving Symantec, show that it’s possible for an M&A billed as the “purchase of B by A” to end up with name A and yet be mostly managed by the executives of B. Representatives of DigiCert have sought guidance from us on the type of arrangements which would and would not cause us concern. In a good faith effort to answer that enquiry, we can make the following, non-exhaustive statements of what would cause Mozilla concern. * We would be concerned if the combined company continued to operate significant pieces of Symantec’s old infrastructure as part of their day-to-day issuance of publicly-trusted certificates. * We would be concerned if Symantec validation and operations personnel continued their roles without retraining in DigiCert methods and culture. * We would be concerned if Symantec processes appeared to displace DigiCert processes. * We would be concerned if the management of the combined company, particularly that part of it providing technical and policy direction and oversight of the PKI, were to appear as if Symantec were the controlling CA organization in the merger. We hope that this provides useful guidance about our concerns, and note that our final opinion of the trustworthiness of the resulting entity will depend on the facts and behavior of the resulting organization. Mozilla reserves the right to include or exclude organizations or root certificates from our root store at our sole discretion. However, if the M&A activity moves forward, we hope that the list above will be helpful to DigiCert in planning for a future harmonious working relationship with the Mozilla Root Program. Gervase Markham Kathleen Wilson [0] http://www.mozilla.org/projects/security/certs/policy/ [1] https://www.digicert.com/news/digicert-to-acquire-symantec-website-security-business/ [2] https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/El1mH8S6AwAJ [3] https://wiki.mozilla.org/CA:Symantec_Issues _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
