Re: Policy 2.5 Proposal: Incorporate Root Transfer Policy
On 01/05/17 10:02, Gervase Markham wrote: > Here is a diff of the proposed changes: > https://github.com/mozilla/pkipolicy/compare/issue-57 Incorporated. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.5 Proposal: Incorporate Root Transfer Policy
On 02/05/17 03:10, Peter Kurrasch wrote: > Your updates look good! One small quibble: The bottom of the Physical > Relocation section mentions the code signing trust bit, but I think that > is irrelevant now? I see that on https://wiki.mozilla.org/CA:RootTransferPolicy , but that's the document we are superceding. Can you see that on the new doc? I can't... > Would you feel comfortable mandating that, whenever an organization > notifies Mozilla about changes in ownership or operation, the > organization must notify the public about any such changes? The idea > here is transparency, and making sure that all parties (subscribers and > relying parties alike) are made aware of the changes in case they wish > to make changes of their own. No, I would not be comfortable with that. I think that, as long as security is not impacted (and if issuance is suspended, or continuing under the old arrangements, it is not) it is fine for company deals to remain confidential until they close. Once there is an actual change of control and issuance restarts, clearly by that point the public must be informed. But that is covered, for new root program entrants at least, by the requirement that new orgs be vetted in m.d.s.p. Do you think we should have a "public notification before issuance (re-)begins" requirement even if e.g. existing CA B buys a root from existing CA A? > For whatever it's worth, I gave the Personnel Changes section a bit of > thought and wondered if further articulation of "changes" might be > helpful. The example that came to mind is GTS and > GlobalSign--specifically, that Google would continue to use GlobalSign's > infrastructure until a transition is made in the future. Presumably, a > change in personnel will take place when Google switches to its own > infrastructure, so should Mozilla be notified at that time? As written, > I think the answer could be yes, but is that necessarily what you want? What different might we want? :-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.5 Proposal: Incorporate Root Transfer Policy
Hi Gerv,Your updates look good! One small quibble: The bottom of the Physical Relocation section mentions the code signing trust bit, but I think that is irrelevant now?Would you feel comfortable mandating that, whenever an organization notifies Mozilla about changes in ownership or operation, the organization must notify the public about any such changes? The idea here is transparency, and making sure that all parties (subscribers and relying parties alike) are made aware of the changes in case they wish to make changes of their own.For whatever it's worth, I gave the Personnel Changes section a bit of thought and wondered if further articulation of "changes" might be helpful. The example that came to mind is GTS and GlobalSign--specifically, that Google would continue to use GlobalSign's infrastructure until a transition is made in the future. Presumably, a change in personnel will take place when Google switches to its own infrastructure, so should Mozilla be notified at that time? As written, I think the answer could be yes, but is that necessarily what you want?(And, for the record, I'm not trying to rehash any past discussion of the acquisition. Rather, I thought it might be a good real-world example based on my understanding of events. If my facts are wrong, that hopefully will not nullify its value as a hypothetical example.)If you prefer to leave the personnel section as-is, I have no issue with that.From: Gervase Markham via dev-security-policySent: Monday, May 1, 2017 4:02 AMTo: mozilla-dev-security-pol...@lists.mozilla.orgReply To: Gervase MarkhamSubject: Policy 2.5 Proposal: Incorporate Root Transfer PolicyMozilla has a Root Transfer Policy which sets out our expectationsregarding how roots are transferred between organizations, or whathappens when one company buys another, based on a recognition that trustis not always transferable.https://wiki.mozilla.org/CA:RootTransferPolicyIt has been reasonably observed that it would be better if this policywere part of our official policy rather than a separate wiki page.So, I have attempted to take that wiki page, remove duplication and boilit down into a set of requirements to add to the existing policy.Here is a diff of the proposed changes:https://github.com/mozilla/pkipolicy/compare/issue-57This is: https://github.com/mozilla/pkipolicy/issues/57---This is a proposed update to Mozilla's root store policy for version2.5. Please keep discussion in this group rather than on Github. Silenceis consent.Policy 2.4.1 (current version):https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.mdUpdate process:https://wiki.mozilla.org/CA:CertPolicyUpdates___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Policy 2.5 Proposal: Incorporate Root Transfer Policy
Mozilla has a Root Transfer Policy which sets out our expectations regarding how roots are transferred between organizations, or what happens when one company buys another, based on a recognition that trust is not always transferable. https://wiki.mozilla.org/CA:RootTransferPolicy It has been reasonably observed that it would be better if this policy were part of our official policy rather than a separate wiki page. So, I have attempted to take that wiki page, remove duplication and boil it down into a set of requirements to add to the existing policy. Here is a diff of the proposed changes: https://github.com/mozilla/pkipolicy/compare/issue-57 This is: https://github.com/mozilla/pkipolicy/issues/57 --- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
