Thanks, Peter1. "I'm not looking whether one company is owned by another, so "is partof" does not matter. I'm looking at the audit reports which, but thedefinition of ISAE 3000, list the "responsible party". Myinterpretation is that "responsible party" is equivalent to "ownershipor control of the CA’s operations" in the Mozilla policy."ISAE International standard on assurance engagements - is a tool for auditors to produce one of two type of audit reports: a reasonable assurance engagement or a limited assurance engagement. The definition from ISA 3000 shows that "responsible party" and "ownership or control of the CA's operations" in Mozilla policy are different concepts: Responsible party―The party(ies) responsible for the underlying subject matter. (Para. A34) .Underlying subject matter―The phenomenon that is measured or evaluated by applying criteria. 2. "As you call out, the CPS says "The legal entity responsible of TeliaCA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9)".Based on the audit report, Telia Finland Oyj is NOT the responsibleparty for the operations of the CA. Prior messages stated that TeliaFinland is the legal owner. This indicates Telia Finland has"ownership or control of the CA’s certificate(s)".Again, there is no "responsible party" in Mozilla policy or underlying standards. According to RFC 3647 the applicant under this root inclusion procedure has to disclose all of its PKI participants: CAs, RAs, subscribers, relying parties and other parties.3. "I frequently have not known which company my colleagues legally work for - it just doesn't matter for day to day purposes.", I fully understand you, but as we already discussed earlier, for CA’s personnel requirements see RFC 3647 section 4.5.3, anyone working for CA’s operations should contracted according to their roles in the CA's operations - also, let's not forget about the sanctions against personnel for authorised actions, unauthorized use of authority etc.4. "I'm suggesting improvements in Mozilla policy because this discussionhas shown the current policy does not provide clarity as to legalentities and because you have reasonably called out that havingclarity is beneficial to transparency."I do support your suggestion, however I’m not sure if this can be done within a specific root inclusion procedure - obviuosly this is something to decide for Mozilla.5. "I have zero experience with eIDAS, so I cannot comment oneIDAS-related practices.”If you don’t mind, I’ll give you more responding to Ryan’s comment, ok?Thanks,M.D.Sent from my Galaxy -------- Original message --------From: Peter Bowen <[email protected]> Date: 1/11/22 01:03 (GMT+02:00) To: "Moudrick M. Dadashov" <[email protected]> Cc: md <[email protected]>, "[email protected]" <[email protected]>, [email protected], Ryan Sleevi <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 On Mon, Jan 10, 2022 at 1:12 PM Moudrick M. Dadashov<[email protected]> wrote:>> Thanks, Peter>> Indeed, you just quoted the same parts from the documentation that I did in my 2021-12-29 email.>> According to CPS two different legal entities declared to have been representing the CA just because one "is part of" another which according to Mozilla policy means "legal ownership" that has nothing to do with the CA operations.I'm not looking whether one company is owned by another, so "is partof" does not matter. I'm looking at the audit reports which, but thedefinition of ISAE 3000, list the "responsible party". Myinterpretation is that "responsible party" is equivalent to "ownershipor control of the CA’s operations" in the Mozilla policy.As you call out, the CPS says "The legal entity responsible of TeliaCA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9)".Based on the audit report, Telia Finland Oyj is NOT the responsibleparty for the operations of the CA. Prior messages stated that TeliaFinland is the legal owner. This indicates Telia Finland has"ownership or control of the CA’s certificate(s)".> Sorry, I’m confused that while you don’t see problems here, but at the same time proposing improvements to Mozilla policy - isn’t this "customization of rules" to the needs of a specific legal entity?I know from working for multiple companies that had operations indifferent countries and different tax jurisdictions that it is verycommon to have people employed by different legal entities who worktogether as a single team. I frequently have not known which companymy colleagues legally work for - it just doesn't matter for day to daypurposes. At one point I worked for XYZ Canada Ltd, my boss workedfor ABC GmbH, his boss worked for XYZ Inc in the US. The personworking for XYZ Inc was the senior vice president and general managerfor ABC and had responsibility and control of ABC, even if he didn'twork for ABC GmbH. At another group of companies, we had people frommultiple legal entities working in the same building side by side.The fact that I worked for Example PQR LLC and my colleague worked forExample JKL LLC was only found if you looked at the details forentries in the corporate directory. We both had email addressesending in @example.com. This seems normal and common to me.I'm suggesting improvements in Mozilla policy because this discussionhas shown the current policy does not provide clarity as to legalentities and because you have reasonably called out that havingclarity is beneficial to transparency. This lack of claity is notunique to Telia; for example, the Globalsign CPS says "GlobalSignNV/SA and affiliated entities". Given the lack of requirement ofpublic disclosure of the owner of the private key/certificate, I'm notsure how many other CAs in the Mozilla program have separation betweenthe operator and key owner.> While this is quite typical for Telia Company AB’s eIDAS related practices, I’m very concerned its happening here.I have zero experience with eIDAS, so I cannot comment oneIDAS-related practices.Thanks,Peter>> Thanks,> M.D.>>> Sent from my Galaxy>>> -------- Original message --------> From: Peter Bowen <[email protected]>> Date: 1/10/22 22:26 (GMT+02:00)> To: md <[email protected]>> Cc: "[email protected]" <[email protected]>, [email protected], "[email protected]" <[email protected]>, Ryan Sleevi <[email protected]>> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2>> On Mon, Jan 10, 2022 at 11:05 AM md <[email protected]> wrote:> >> > Thanks, Peter> >> > Below I’m relying on the Mozilla policy (MP) published here:> > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> >> > You say you are confused and looks like because of following:> >> > 1. Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249).> >> > Please note Telia Finland Oyj is a legal entity with its own BusinessID, material/human resources, management and location (see MP section 3.1.4 (13)).> >> > As "CAs SHOULD NOT assume that trust is transferable" (MP section 8), using the MP terminology the relationship between Telia Company AB and Telia Finland Oyj is "legal ownership". Feel free to rely on any privileges the policy assumes for this kind of ownership parties.> >> > The reason of confuse is mixing two different terms "legal omwnership" and "CA operations" (as in MP section 8.2).> >> > 2. "It also seems clear to me that Telia Company AB has overall control of> > the CA operations, as they are the responsible party as documented in> > the WebTrust management assertion and addressed in the auditor's> > opinion."> >> > See, this needs to be clear not only to highly skilled professional like yourself, but also to relying parties. I’ve no problem with Telia Company AB or Telia Finland Oyj being a CA, however I have big problem for both of them pretending to be PKI participant with undisclosed roles - in this context ”has overall control” is misunderstanding, again, see MP section 8.2.> >> > ************> >> >> > I’m afraid your good example below is not applicable to this case - those companies, If I understood correctly, have contractual relationship, whereas in our case all we have is "is part of" which means the legal owner (Telia Company AB) controls shares of another legal entity (Telia Finland Oyj). This has nothing to do with CA operations.>> From the Telia CA audit reports: "Telia Company AB (Telia) operates> the Certificate Authority (CA) services as listed in Appendix A" (the> first sentence of> https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf).> From that same file, KPMG conducted their procedures as per ISAE 3000,> which requires KPMG to determine the "responsible party". KPMG> clearly states that it is "Telia Company AB" in their opinion letter.>> Given the root certificate currently under discussion is not part of> the root program, and the ownership and control seem to be clearly> stated, I do not see an issue here.>> There may be a separate concern that the operations of the> "TeliaSonera Root CA v1" CA were transferred at some point. Mozilla> policy does not require public notice of transfer - notice can be> provided to Mozilla privately. Given this, it is not possible to> identify if notice was provided.>> From this discussion, it does seem that Mozilla should consider a few actions:> 1) Update the policy to require disclosure of the legal entity that> owns the CA private key (instead of the CA certificate)> 2) Update the policy to require disclosure in the CCADB, for each root> CA and subordinate CA, of:> * the legal entity that owns CA private key> * the legal entity that is the operator of the CA and is either the> "Responsible Party" (ISAE 3000) or employer/contractor of the> "Management and Those Charged With Governance" (AT-C 801) of the CA> 3) Clarify how the community will be notified of changes, given the> policy says that "Mozilla will normally keep commercially sensitive> information confidential.">> Thanks,> Peter
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61ddae2d.1c69fb81.7cb80.2d67%40mx.google.com.
