Thanks, PeterBelow I’m relying on the Mozilla policy (MP) published here:https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/You say you are confused and looks like because of following:1. Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249).Please note Telia Finland Oyj is a legal entity with its own BusinessID, material/human resources, management and location (see MP section 3.1.4 (13)).As "CAs SHOULD NOT assume that trust is transferable" (MP section 8), using the MP terminology the relationship between Telia Company AB and Telia Finland Oyj is "legal ownership". Feel free to rely on any privileges the policy assumes for this kind of ownership parties.The reason of confuse is mixing two different terms "legal omwnership" and "CA operations" (as in MP section 8.2).2. "It also seems clear to me that Telia Company AB has overall control ofthe CA operations, as they are the responsible party as documented inthe WebTrust management assertion and addressed in the auditor'sopinion."See, this needs to be clear not only to highly skilled professional like yourself, but also to relying parties. I’ve no problem with Telia Company AB or Telia Finland Oyj being a CA, however I have big problem for both of them pretending to be PKI participant with undisclosed roles - in this context ”has overall control” is misunderstanding, again, see MP section 8.2.************I’m afraid your good example below is not applicable to this case - those companies, If I understood correctly, have contractual relationship, whereas in our case all we have is "is part of" which means the legal owner (Telia Company AB) controls shares of another legal entity (Telia Finland Oyj). This has nothing to do with CA operations.Thanks,M.D. -------- Original message --------From: Peter Bowen <[email protected]> Date: 1/10/22 19:37 (GMT+02:00) To: "Moudrick M. Dadashov" <[email protected]> Cc: "[email protected]" <[email protected]>, [email protected], "[email protected]" <[email protected]>, Ryan Sleevi <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 On Mon, Jan 10, 2022 at 7:08 AM 'Moudrick M. Dadashov' [email protected] <[email protected]>wrote:>> Hi Pekka,>> Before your claim can be finalized, we need clarification of the terms in your statement:>>> "Specifically that Telia hasn't used any third party RAs except in the mentioned client certificate cases".>> You explained earlier that Telia is a trademark that Telia Finland Oyj is authorized to use in Finland.>> In the Telia's Management Assertion Telia Company AB uses the term Telia as a self short name. The same short name is used in the audit reports.>> So, based on the official documents, we don't know which legal entity represent the CA - Telia Company AB (Sweden) or Telia Finland Oyj (Finland). Once we identify the CA, it should be easier for you to disclose/identify other PKI participants, if any.>> "And that all other RA functions were operated internally by the Telia group so that all internal RA functions were covered under the WebTrust audit.">> Here you use the terms "internally" and "group" that have no meaning in the context of the CA operations - if you think they are defined in existing standards and Mozilla policy, just refer us to the appropriate sources.>> Once again, as from the CA operations' (CP/CPS) point of view Telia Company AB and Telia Finland Oyj are two different legal entities, you need to disclose their PKI participant roles as required by all applicable standards, policies I quoted earlier.Moudrick,I'm afraid I'm somewhat confused. Mozilla Policy calls out two placeswhere the legal entity has to be disclosed: "ownership or control ofthe CA’s certificate(s)" and "ownership or control of the CA’soperations". I'm going to assume that the first really should be CA'sprivate keys, but that is something for a policy discussion.The CPS says "The CA operating in compliance with this CPS is TeliaCA. The legal entity responsible of Telia CA is Finnish company “TeliaFinland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part ofSwedish company “Telia Company AB” (BusinessID 5561034249)."From this thread, it seems clear to me that Telia Finland Oyj hasownership of the CA certificate and keys. This has been statedmultiple times in the thread.It also seems clear to me that Telia Company AB has overall control ofthe CA operations, as they are the responsible party as documented inthe WebTrust management assertion and addressed in the auditor'sopinion.I am unaware of any requirement in the Mozilla policy (directly or viainclusion by reference) that requires a CA to disclose the employer ofall people they contract to assist in operations of the CA. Thisapplies regardless of whether the employer(s) are Affiliates of thelegal entity operating the CA, Affiliates of the legal entity owningthe private keys, or independent third parties. The thing thatmatters is that the entity operating the CA takes responsibility forand has control over the actions undertaken by the people operatingthe CA.As an example, as I understand it, if Afla, Inc. owns a private key,they can contract Bravo Ltd. to operate the CA (including RAfunctions). Bravo Ltd would then be listed as the responsible partyin the WebTrust audit report. Bravo can contract Charlie Pty Ltd,Delta GmbH, and Echo BV to assist in the operations of the CA. Thiscould include providing physical security for the private keys,providing ICT administration, applicant review services, or otherwork. As long as Bravo is has oversight and control of theoperations, it is not necessary to list Charlie, Delta, or Echo in theCPS nor in the WebTrust audit report.I do realize that other regulations and requirements may requiredisclosure of some or all of Charlie, Delta, or Echo. For example,some CAs disclose information sub-processors for the purpose ofcomplying with GDPR; seehttps://www.globalsign.com/en/repository/GlobalSign-Subprocessors.pdfas an example. This is independent of the Mozilla requirements, tothe best of my knowledge.Thanks,Peter(my personal view and does not necessarily reflect the views of anyone else)
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61dc838b.1c69fb81.97bdb.f268SMTPIN_ADDED_MISSING%40mx.google.com.
