Re: Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)
On Thu, Nov 9, 2017 at 1:25 PM, Peter Kurrasch via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > There's always a risk that a CA owner will create a security nightmare > when we aren't looking, probationary period or not. In theory regular > audits help to prevent it, but even in cases where they don't, people are > free to raise concerns as they come up. I think we've had examples of > exactly that in both StartCom and Symantec. > I agree. What we're really talking about here is the removal of trust in a CA based on new information. In the case of an acquisition, that information may not be publicly available until after a deal is completed, making the current requirement to halt issuance very disruptive. I'd modify section 8.1 of the policy to distinguish an acquisition of the CA operations from a purchase of a root key, and only require approval prior to issuance in the latter case. > > Perhaps one way to think of it is: Do we have reason to believe that the > acquiring organization, leadership, etc. will probably make good decisions > in the furtherance of public trust on the Internet? For a company that is a > complete unknown, I would say that no evidence exists and therefore a > public review prior to the acquisition is appropriate. If we do have > sufficient evidence, perhaps it's OK to let the acquisition go through and > have a public discussion afterwards. > The CA should be responsible for providing information about the effect of the acquisition on their operations. In this case, Robin provided some essentials: >As you have seen from the announcement, we have a new CEO and new Chairman >who have prior experience in managing a trusted CA organization. > >There are to be no resultant changes to our CPS, our operations, our >business policies or procedures, or the secure locations from which we >operate our CA infrastructure. > >The operational personnel in Comodo CA Limited will not change. The >certificate validation teams will remain unchanged. The policy already requires the CA to disclose any CPS changes. I'd add a requirement that the CA provide a public statement describing all material changes that will be made as a result of the acquisition. That statement should be signed by Senior management of the acquiring company. The CA should also [obviously] be expected to answer any reasonable questions that are raised during the discussion period. > > The Francisco Partners situation is more complicated, however. Francisco > Partners itself does not strike me as the sort of company that should own a > CA but only because they are investors and not a public trust firm of some > sort. That said, they are smart enough to bring in a leadership team that > does have knowledge and experience in this space. Unfortunately, though, > they are also bringing in a Deep Packet Inspection business which is > antithetical to public trust. So what is one to conclude? > > The reporting that I've seen seem to indicate that Francisco Partners will > not (will never?) combine PKI and DPI into a single business operation. > They have to know that doing so would be ruinous to their CA investment. If > we assume they know that and if we are willing to take them at their word, > I suppose it's reasonable to "allow" the transfer as it relates to Mozilla > policy. If we should learn later on that that trust was misplaced, I'm sure > we will discuss it and take appropriate action at that time. > > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)
There's always a risk that a CA owner will create a security nightmare when we aren't looking, probationary period or not. In theory regular audits help to prevent it, but even in cases where they don't, people are free to raise concerns as they come up. I think we've had examples of exactly that in both StartCom and Symantec. Perhaps one way to think of it is: Do we have reason to believe that the acquiring organization, leadership, etc. will probably make good decisions in the furtherance of public trust on the Internet? For a company that is a complete unknown, I would say that no evidence exists and therefore a public review prior to the acquisition is appropriate. If we do have sufficient evidence, perhaps it's OK to let the acquisition go through and have a public discussion afterwards.The Francisco Partners situation is more complicated, however. Francisco Partners itself does not strike me as the sort of company that should own a CA but only because they are investors and not a public trust firm of some sort. That said, they are smart enough to bring in a leadership team that does have knowledge and experience in this space. Unfortunately, though, they are also bringing in a Deep Packet Inspection business which is antithetical to public trust. So what is one to conclude?The reporting that I've seen seem to indicate that Francisco Partners will not (will never?) combine PKI and DPI into a single business operation. They have to know that doing so would be ruinous to their CA investment. If we assume they know that and if we are willing to take them at their word, I suppose it's reasonable to "allow" the transfer as it relates to Mozilla policy. If we should learn later on that that trust was misplaced, I'm sure we will discuss it and take appropriate action at that time.From: westmail24--- via dev-security-policySent: Wednesday, November 8, 2017 7:50 PMTo: mozilla-dev-security-pol...@lists.mozilla.orgReply To: westmai...@gmail.comSubject: Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)Hello Peter, But what prevents Francisco Partners making security nightmare after the probationary period? This is logical, I think.Regards,Andrew___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)
Hello Peter, But what prevents Francisco Partners making security nightmare after the probationary period? This is logical, I think. Regards, Andrew ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Acquisition policy (was: Francisco Partners acquires Comodo certificate authority business)
I could see introducing something of a probationary period of, say, 6 weeks for a public review and discussion, post-acquisition. As a sign of good faith, Mozilla would allow the new entity to continue to issue end-entity certificates. Also as a sign of good faith, the acquirer would agree not to make changes to staff, infrastructure, keys, and so forth and will abstain from changing the interconnectedness of root and intermediate certs.The idea here being that if we should encounter something that is not acceptable, we need the ability to undo any actions taken during the probationary period. I was thinking 6 weeks would allow enough business days for people to investigate any issues that might arise and accommodate vacation schedules and such. I also think the probationary period would be granted under only certain circumstances--that is, not every acquirer will necessarily qualify.From: Gervase Markham via dev-security-policySent: Wednesday, November 1, 2017 6:04 AMTo: mozilla-dev-security-pol...@lists.mozilla.orgReply To: Gervase MarkhamSubject: Re: Francisco Partners acquires Comodo certificate authority businessOn 31/10/17 13:21, Kyle Hamilton wrote:> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-businessComodo notified Mozilla of this impending acquisition privately inadvance, and requested confidentiality, which we granted. Now that theacquisition is public, it is reasonable for the community to have adiscussion about the implications for Mozilla's trust of Comodo, if any.However, there is also another wrinkle to iron out. Our policy 2.5 says:"If the receiving or acquiring company is new to the Mozilla rootprogram, there MUST be a public discussion regarding their admittance tothe root program, which Mozilla must resolve with a positive conclusionbefore issuance is permitted."I personally feel that this is a bug, in that technically it says thatas soon as a deal closes and is announced, the CA has to stop issuanceentirely until the Mozilla community has had a discussion and given theOK. I believe that's not reasonable and would create massive businessdisruption if the letter of that rule were enforced strictly. I thinkthat when we wrote the policy, we didn't anticipate the situation wherethe buyer would be confidential until closing. (Compare Digimantec,where it's not.)So it would also be useful to have a discussion about what this sectionof the policy should actually say.Gerv___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
