On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy < [email protected]> wrote:
> When the Francisco Partners acquisition of Comodo was announced, it was > pointed out [1] that a strict reading of the current policy section 8.1 > would have forced Comodo to stop issuing certificates for some period of > time: > > If the receiving or acquiring company is new to the Mozilla root program, > > there MUST be a public discussion regarding their admittance to the root > > program, which Mozilla must resolve with a positive conclusion before > > issuance is permitted. > > > > I propose that we update section 8.1 to distinguish between root transfers > and acquisition of or investment in a CA organization, with the latter > cases allowing issuance to continue during the discussion period. > > During the earlier discussion on this topic [1], it was also proposed that > we require the receiving or acquiring company to make no changes during the > discussion period and that we require all material changes anticipated as a > result of the investment or acquisition to be publicly disclosed by the CA. > > This is: https://github.com/mozilla/pkipolicy/issues/109 > > [1] > https://groups.google.com/d/msg/mozilla.dev.security.policy/AvGlsb4BAZo/ > gQe5ggE6BQAJ I'm having a little bit of difficulty imagining what you see the change looking like. Do you have draft text in mind, to look for possible exploitable loopholes? On its face, it sounds reasonable, but it seems the wording will be tricky to get right. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
