I would like to begin a 3-week public discussion period for InfoCert's acquisition of Camerfirma [1] as described in section 8.1 of the Mozilla Root Store Policy. I believe that the intent of our policy in this scenario is to identify and consider any risks introduced by the acquisition of Camerfirma, and not to reevaluate Camerfirma's inclusion as if it were a new CA. In that context, I will appreciate everyone's constructive input on issues that may affect Mozilla's ongoing trust in InfoCert/Camerfirma. I have included some additional information below.
- Wayne Camerfirma answered the questions that I posed [2] about this acquisition as follows: * Can you confirm that the entire CA operation has been acquired? This means that all of the roots, systems, policies, people, and infrastructure are not changing. -> Yes * Have any CP/CPS changes occurred, or do you expect any change to occur as the result of this transaction? -> No * Are you undergoing any additional audits, or do you expect any changes in the status of your audits or compliance certificates as the result of this transaction? -> No * Please describe the management changes that will result from this transaction -> No changes are expected in the management * Please describe any changes to personnel that will result from this transaction -> No changes are expected to personnel * Please describe any changes to policies that will result from this transaction -> No changes are expected to policies * Please describe any changes to systems that will happen as a result of this transaction -> No changes are expected to systems * Please describe any other changes that will result from this transaction -> No changes are expected * Why was Mozilla not notified of this transaction 2 weeks ago when it was announced? -> The operation is already public but it's necessary to wait until it has been done in the Spanish government's public registry. This point determines the effectiveness of the operation with third parties. Camerfirma has four SHA-1 roots included in the Mozilla program: * Chambers of Commerce Root * Chambers of Commerce Root - 2008 * Global Chambersign Root * Global Chambersign Root - 2008 A request to include Camerfirma's SHA-2 roots was denied in April [3][4]. They have since informed me that they are in the process of generating new roots. Camerfirma has one open compliance bug [5] requesting full audit information for a subordinate CA. Camerfirma's 2018 audit statements are overdue - the prior period ended on 14-April 2017, and new statements have not yet been supplied to Mozilla. Last year's statements are still listed on the Camerfirma website [6]. The latest version of the CPS [7], published in May, does not document any changes that I find concerning. [1] https://infocert.digital/infocert-underwrites-a-capital-increase-to-acquire-51-of-the-spanish-ac-camerfirma/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=986854 [4] https://groups.google.com/d/msg/mozilla.dev.security.policy/skev4gp_bY4/snIuP2JLAgAJ [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1455147 [6] https://www.camerfirma.com/camerfirma/acreditaciones/ [7] http://docs.camerfirma.com/publico/DocumentosWeb/politicas/CPS_3.3.1_EN.pdf On Tue, May 22, 2018 at 3:50 PM Wayne Thayer <[email protected]> wrote: > On Thursday, a representative of AC Camerfirma sent an email informing > Mozilla that InfoCert [1] has taken control of Camerfirma. News of the deal > was first published on May 4th. [2] > > Section 8.1 of our policy applies here (quoting version 2.6 draft): > > If the receiving or acquiring company is new to the Mozilla root program, >> it must demonstrate compliance with the entirety of this policy and there >> MUST be a public discussion regarding their admittance to the root program, >> which Mozilla must resolve with a positive conclusion in order for the >> affected certificate(s) to remain in the root program. If the entire CA >> operation is not included in the scope of the transaction, issuance is not >> permitted until the discussion has been resolved with a positive conclusion. >> > > InfoCert is new to the Mozilla root program, so a public discussion > regarding their admittance to the root program is in order. I have > requested clarification, but my current understanding is that AC > Camerfirma's entire CA operation is part of the transaction. Thus, > according to our new policy, certificate issuance may continue during our > discussion period. > > Camerfirma has informed me that they will not be able to answer our > questions until the transaction "has been done in the Spanish > government's public registry", which they expect to take approximately 4 > weeks. Meanwhile, I have created a bug [3] to track this request and have > posed a number of questions to InfoCert. > > - Wayne > [1] https://infocert.digital/about-us/ > [2] > https://www.corrierecomunicazioni.it/digital-economy/infocert-sbarca-allestero-acquisito-il-51-della-spagnola-camerfirma/ > [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597 > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
