On Thu, Nov 9, 2017 at 1:25 PM, Peter Kurrasch via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> There's always a risk that a CA owner will create a security nightmare > when we aren't looking, probationary period or not. In theory regular > audits help to prevent it, but even in cases where they don't, people are > free to raise concerns as they come up. I think we've had examples of > exactly that in both StartCom and Symantec. > I agree. What we're really talking about here is the removal of trust in a CA based on new information. In the case of an acquisition, that information may not be publicly available until after a deal is completed, making the current requirement to halt issuance very disruptive. I'd modify section 8.1 of the policy to distinguish an acquisition of the CA operations from a purchase of a root key, and only require approval prior to issuance in the latter case. > > Perhaps one way to think of it is: Do we have reason to believe that the > acquiring organization, leadership, etc. will probably make good decisions > in the furtherance of public trust on the Internet? For a company that is a > complete unknown, I would say that no evidence exists and therefore a > public review prior to the acquisition is appropriate. If we do have > sufficient evidence, perhaps it's OK to let the acquisition go through and > have a public discussion afterwards. > The CA should be responsible for providing information about the effect of the acquisition on their operations. In this case, Robin provided some essentials: >As you have seen from the announcement, we have a new CEO and new Chairman >who have prior experience in managing a trusted CA organization. > >There are to be no resultant changes to our CPS, our operations, our >business policies or procedures, or the secure locations from which we >operate our CA infrastructure. > >The operational personnel in Comodo CA Limited will not change. The >certificate validation teams will remain unchanged. The policy already requires the CA to disclose any CPS changes. I'd add a requirement that the CA provide a public statement describing all material changes that will be made as a result of the acquisition. That statement should be signed by Senior management of the acquiring company. The CA should also [obviously] be expected to answer any reasonable questions that are raised during the discussion period. > > The Francisco Partners situation is more complicated, however. Francisco > Partners itself does not strike me as the sort of company that should own a > CA but only because they are investors and not a public trust firm of some > sort. That said, they are smart enough to bring in a leadership team that > does have knowledge and experience in this space. Unfortunately, though, > they are also bringing in a Deep Packet Inspection business which is > antithetical to public trust. So what is one to conclude? > > The reporting that I've seen seem to indicate that Francisco Partners will > not (will never?) combine PKI and DPI into a single business operation. > They have to know that doing so would be ruinous to their CA investment. If > we assume they know that and if we are willing to take them at their word, > I suppose it's reasonable to "allow" the transfer as it relates to Mozilla > policy. If we should learn later on that that trust was misplaced, I'm sure > we will discuss it and take appropriate action at that time. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
