On Thursday, a representative of AC Camerfirma sent an email informing Mozilla that InfoCert [1] has taken control of Camerfirma. News of the deal was first published on May 4th. [2]
Section 8.1 of our policy applies here (quoting version 2.6 draft): If the receiving or acquiring company is new to the Mozilla root program, > it must demonstrate compliance with the entirety of this policy and there > MUST be a public discussion regarding their admittance to the root program, > which Mozilla must resolve with a positive conclusion in order for the > affected certificate(s) to remain in the root program. If the entire CA > operation is not included in the scope of the transaction, issuance is not > permitted until the discussion has been resolved with a positive conclusion. > InfoCert is new to the Mozilla root program, so a public discussion regarding their admittance to the root program is in order. I have requested clarification, but my current understanding is that AC Camerfirma's entire CA operation is part of the transaction. Thus, according to our new policy, certificate issuance may continue during our discussion period. Camerfirma has informed me that they will not be able to answer our questions until the transaction "has been done in the Spanish government's public registry", which they expect to take approximately 4 weeks. Meanwhile, I have created a bug [3] to track this request and have posed a number of questions to InfoCert. - Wayne [1] https://infocert.digital/about-us/ [2] https://www.corrierecomunicazioni.it/digital-economy/infocert-sbarca-allestero-acquisito-il-51-della-spagnola-camerfirma/ [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy