In a recent incident report [1], a representative of Sectigo noted: The carve out from Comodo Group was a tough time for us. We had twenty > years’ worth of completely intertwined systems that had to be disentangled > ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of > employees that numbered well under half of what we needed to operate in any > reasonable fashion.
This referred to the previous split [2] of the Comodo CA business from the rest of Comodo businesses, and rebranding as Sectigo. In addition to the questions posted by Wayne, I think it'd be useful to confirm: 1. Is it expected that there will be similar system and/or infrastructure migrations as part of this? Sectigo's foresight of "no effect on its operations" leaves it a bit ambiguous whether this is meant as "practical" effect (e.g. requiring a change of CP/CS or effective policies) or whether this is meant as no "operational" impact (e.g. things will change, but there's no disruption anticipated). It'd be useful to frame this response in terms of any anticipated changes at all (from mundane, like updating the logos on the website, to significant, such as any procedure/equipment changes), rather than observed effects. 2. Is there a risk that such an acquisition might further reduce the crew of employees to an even smaller number? Perhaps not immediately, but over time, say the next two years, such as "eliminating redundancies" or "streamlining operations"? I recognize that there's an opportunity such an acquisition might allow for greater investment and/or scale, and so don't want to presume the negative, but it would be good to get a clear commitment as to that, similar to other acquisitions in the past (e.g. Symantec CA operations by DigiCert) [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21 [2] https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As announced previously by Rob Stradling, there is an agreement for > private investment firm GI Partners, out of San Francisco, CA, to acquire > Sectigo. Press release: > https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners > . > > > I am treating this as a change of legal ownership covered by section 8.1 > < > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership > > > of the Mozilla Root Store Policy, which states: > > > If the receiving or acquiring company is new to the Mozilla root program, > > it must demonstrate compliance with the entirety of this policy and there > > MUST be a public discussion regarding their admittance to the root > program, > > which Mozilla must resolve with a positive conclusion in order for the > > affected certificate(s) to remain in the root program. > > In order to comply with policy, I hereby formally announce the commencement > of a 3-week discussion period for this change in legal ownership of Sectigo > by requesting thoughtful and constructive feedback from the community. > > Sectigo has already stated that it foresees no effect on its operations due > to this ownership change, and I believe that the acquisition announced by > Sectigo and GI Partners is compliant with Mozilla policy. > > Thanks, > > Ben > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy