On Thu, Mar 29, 2018 at 8:53 AM, Ryan Sleevi <[email protected]> wrote:
> > On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy < > [email protected]> wrote: > >> When the Francisco Partners acquisition of Comodo was announced, it was >> pointed out [1] that a strict reading of the current policy section 8.1 >> would have forced Comodo to stop issuing certificates for some period of >> time: >> >> If the receiving or acquiring company is new to the Mozilla root program, >> > there MUST be a public discussion regarding their admittance to the root >> > program, which Mozilla must resolve with a positive conclusion before >> > issuance is permitted. >> > >> >> I propose that we update section 8.1 to distinguish between root transfers >> and acquisition of or investment in a CA organization, with the latter >> cases allowing issuance to continue during the discussion period. >> >> During the earlier discussion on this topic [1], it was also proposed that >> we require the receiving or acquiring company to make no changes during >> the >> discussion period and that we require all material changes anticipated as >> a >> result of the investment or acquisition to be publicly disclosed by the >> CA. >> >> This is: https://github.com/mozilla/pkipolicy/issues/109 >> >> [1] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/ >> AvGlsb4BAZo/gQe5ggE6BQAJ > > > I'm having a little bit of difficulty imagining what you see the change > looking like. Do you have draft text in mind, to look for possible > exploitable loopholes? > > Here's a proposal: https://github.com/mozilla/pkipolicy/commit/565250b9bbc16c1a4e3d4165f0171e8702b2b21d On its face, it sounds reasonable, but it seems the wording will be tricky > to get right. > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
