On Mon, Jan 10, 2022 at 11:05 AM md <[email protected]> wrote: > > Thanks, Peter > > Below I’m relying on the Mozilla policy (MP) published here: > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > > You say you are confused and looks like because of following: > > 1. Telia Finland Oyj is part of Swedish company “Telia Company AB” > (BusinessID 5561034249). > > Please note Telia Finland Oyj is a legal entity with its own BusinessID, > material/human resources, management and location (see MP section 3.1.4 > (13)). > > As "CAs SHOULD NOT assume that trust is transferable" (MP section 8), using > the MP terminology the relationship between Telia Company AB and Telia > Finland Oyj is "legal ownership". Feel free to rely on any privileges the > policy assumes for this kind of ownership parties. > > The reason of confuse is mixing two different terms "legal omwnership" and > "CA operations" (as in MP section 8.2). > > 2. "It also seems clear to me that Telia Company AB has overall control of > the CA operations, as they are the responsible party as documented in > the WebTrust management assertion and addressed in the auditor's > opinion." > > See, this needs to be clear not only to highly skilled professional like > yourself, but also to relying parties. I’ve no problem with Telia Company AB > or Telia Finland Oyj being a CA, however I have big problem for both of them > pretending to be PKI participant with undisclosed roles - in this context > ”has overall control” is misunderstanding, again, see MP section 8.2. > > ************ > > > I’m afraid your good example below is not applicable to this case - those > companies, If I understood correctly, have contractual relationship, whereas > in our case all we have is "is part of" which means the legal owner (Telia > Company AB) controls shares of another legal entity (Telia Finland Oyj). This > has nothing to do with CA operations.
>From the Telia CA audit reports: "Telia Company AB (Telia) operates the Certificate Authority (CA) services as listed in Appendix A" (the first sentence of https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf). >From that same file, KPMG conducted their procedures as per ISAE 3000, which requires KPMG to determine the "responsible party". KPMG clearly states that it is "Telia Company AB" in their opinion letter. Given the root certificate currently under discussion is not part of the root program, and the ownership and control seem to be clearly stated, I do not see an issue here. There may be a separate concern that the operations of the "TeliaSonera Root CA v1" CA were transferred at some point. Mozilla policy does not require public notice of transfer - notice can be provided to Mozilla privately. Given this, it is not possible to identify if notice was provided. >From this discussion, it does seem that Mozilla should consider a few actions: 1) Update the policy to require disclosure of the legal entity that owns the CA private key (instead of the CA certificate) 2) Update the policy to require disclosure in the CCADB, for each root CA and subordinate CA, of: * the legal entity that owns CA private key * the legal entity that is the operator of the CA and is either the "Responsible Party" (ISAE 3000) or employer/contractor of the "Management and Those Charged With Governance" (AT-C 801) of the CA 3) Clarify how the community will be notified of changes, given the policy says that "Mozilla will normally keep commercially sensitive information confidential." Thanks, Peter -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAK6vND_rMRqFSXM_jz4v8ssUqKqHyXqh_ewf8tr6o4qn6Dz-VA%40mail.gmail.com.
