subject:"Policy 2.6 Proposal\: Permit issuance during change in ownership"

Re: Policy 2.6 Proposal: Permit issuance during change in ownership

2018-03-30 Thread Wayne Thayer via dev-security-policy

On Thu, Mar 29, 2018 at 2:12 PM, Ryan Sleevi  wrote:

>
>
> On Thu, Mar 29, 2018 at 4:03 PM, Wayne Thayer  wrote:
>
>> On Thu, Mar 29, 2018 at 8:53 AM, Ryan Sleevi  wrote:
>>
>>>
>>> On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy <
>>> dev-security-policy@lists.mozilla.org> wrote:
>>>
 When the Francisco Partners acquisition of Comodo was announced, it was
 pointed out [1] that a strict reading of the current policy section 8.1
 would have forced Comodo to stop issuing certificates for some period of
 time:

 If the receiving or acquiring company is new to the Mozilla root
 program,
 > there MUST be a public discussion regarding their admittance to the
 root
 > program, which Mozilla must resolve with a positive conclusion before
 > issuance is permitted.
 >

 I propose that we update section 8.1 to distinguish between root
 transfers
 and acquisition of or investment in a CA organization, with the latter
 cases allowing issuance to continue during the discussion period.

 During the earlier discussion on this topic [1], it was also proposed
 that
 we require the receiving or acquiring company to make no changes during
 the
 discussion period and that we require all material changes anticipated
 as a
 result of the investment or acquisition to be publicly disclosed by the
 CA.

 This is: https://github.com/mozilla/pkipolicy/issues/109

 [1]
 https://groups.google.com/d/msg/mozilla.dev.security.policy/
 AvGlsb4BAZo/gQe5ggE6BQAJ
>>>
>>>
>>> I'm having a little bit of difficulty imagining what you see the change
>>> looking like. Do you have draft text in mind, to look for possible
>>> exploitable loopholes?
>>>
>>> Here's a proposal: https://github.com/mozilla/pki
>> policy/commit/565250b9bbc16c1a4e3d4165f0171e8702b2b21d
>>
>
> Thanks, that's much easier to visualize.
>
> I think it's a positive change, but it may be worth emphasizing that a
> complete change in ownership does not otherwise exempt a CA from the other
> reporting - such as changes in operational personnel, material changes in
> the CA's operations (CP/CPS), etc. This is covered by Section 8.2 and 8
> overall, so it may not bear mentioning explicitly, or it may be worth
> noting that the receiving or acquiring company will be bound by the policy,
> in full, including any notifications of further changes.
>

To address this comment, I added the statement "...it must comply with the
entirety of this policy...". With both changes, section 8.1 would read as
follows:

> This section applies when one company buys or takes a controlling stake in
> a CA, or when an organization buys the private key of a certificate in
> Mozilla's root program.
>
> Mozilla MUST be notified of any resulting changes in the CA's CP or CPS.
>
> If the receiving or acquiring company is new to the Mozilla root program,
> it must comply with the entirety of this policy and there MUST be a public
> discussion regarding their admittance to the root program, which Mozilla
> must resolve with a positive conclusion in order for the affected
> certificate(s) to remain in the root program. If the entire CA operation is
> not included in the scope of the transaction, issuance is not permitted
> until the discussion has been resolved with a positive conclusion.
>
Unless there are further comments on this topic, I'll include this change
in version 2.6

- Wayne
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Permit issuance during change in ownership

2018-03-29 Thread Ryan Sleevi via dev-security-policy

On Thu, Mar 29, 2018 at 4:03 PM, Wayne Thayer  wrote:

> On Thu, Mar 29, 2018 at 8:53 AM, Ryan Sleevi  wrote:
>
>>
>> On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>>> When the Francisco Partners acquisition of Comodo was announced, it was
>>> pointed out [1] that a strict reading of the current policy section 8.1
>>> would have forced Comodo to stop issuing certificates for some period of
>>> time:
>>>
>>> If the receiving or acquiring company is new to the Mozilla root program,
>>> > there MUST be a public discussion regarding their admittance to the
>>> root
>>> > program, which Mozilla must resolve with a positive conclusion before
>>> > issuance is permitted.
>>> >
>>>
>>> I propose that we update section 8.1 to distinguish between root
>>> transfers
>>> and acquisition of or investment in a CA organization, with the latter
>>> cases allowing issuance to continue during the discussion period.
>>>
>>> During the earlier discussion on this topic [1], it was also proposed
>>> that
>>> we require the receiving or acquiring company to make no changes during
>>> the
>>> discussion period and that we require all material changes anticipated
>>> as a
>>> result of the investment or acquisition to be publicly disclosed by the
>>> CA.
>>>
>>> This is: https://github.com/mozilla/pkipolicy/issues/109
>>>
>>> [1]
>>> https://groups.google.com/d/msg/mozilla.dev.security.policy/
>>> AvGlsb4BAZo/gQe5ggE6BQAJ
>>
>>
>> I'm having a little bit of difficulty imagining what you see the change
>> looking like. Do you have draft text in mind, to look for possible
>> exploitable loopholes?
>>
>> Here's a proposal: https://github.com/mozilla/pkipolicy/commit/
> 565250b9bbc16c1a4e3d4165f0171e8702b2b21d
>

Thanks, that's much easier to visualize.

I think it's a positive change, but it may be worth emphasizing that a
complete change in ownership does not otherwise exempt a CA from the other
reporting - such as changes in operational personnel, material changes in
the CA's operations (CP/CPS), etc. This is covered by Section 8.2 and 8
overall, so it may not bear mentioning explicitly, or it may be worth
noting that the receiving or acquiring company will be bound by the policy,
in full, including any notifications of further changes.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Permit issuance during change in ownership

2018-03-29 Thread Wayne Thayer via dev-security-policy

On Thu, Mar 29, 2018 at 8:53 AM, Ryan Sleevi  wrote:

>
> On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> When the Francisco Partners acquisition of Comodo was announced, it was
>> pointed out [1] that a strict reading of the current policy section 8.1
>> would have forced Comodo to stop issuing certificates for some period of
>> time:
>>
>> If the receiving or acquiring company is new to the Mozilla root program,
>> > there MUST be a public discussion regarding their admittance to the root
>> > program, which Mozilla must resolve with a positive conclusion before
>> > issuance is permitted.
>> >
>>
>> I propose that we update section 8.1 to distinguish between root transfers
>> and acquisition of or investment in a CA organization, with the latter
>> cases allowing issuance to continue during the discussion period.
>>
>> During the earlier discussion on this topic [1], it was also proposed that
>> we require the receiving or acquiring company to make no changes during
>> the
>> discussion period and that we require all material changes anticipated as
>> a
>> result of the investment or acquisition to be publicly disclosed by the
>> CA.
>>
>> This is: https://github.com/mozilla/pkipolicy/issues/109
>>
>> [1]
>> https://groups.google.com/d/msg/mozilla.dev.security.policy/
>> AvGlsb4BAZo/gQe5ggE6BQAJ
>
>
> I'm having a little bit of difficulty imagining what you see the change
> looking like. Do you have draft text in mind, to look for possible
> exploitable loopholes?
>
> Here's a proposal:
https://github.com/mozilla/pkipolicy/commit/565250b9bbc16c1a4e3d4165f0171e8702b2b21d

On its face, it sounds reasonable, but it seems the wording will be tricky
> to get right.
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Permit issuance during change in ownership

2018-03-29 Thread Ryan Sleevi via dev-security-policy

On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> When the Francisco Partners acquisition of Comodo was announced, it was
> pointed out [1] that a strict reading of the current policy section 8.1
> would have forced Comodo to stop issuing certificates for some period of
> time:
>
> If the receiving or acquiring company is new to the Mozilla root program,
> > there MUST be a public discussion regarding their admittance to the root
> > program, which Mozilla must resolve with a positive conclusion before
> > issuance is permitted.
> >
>
> I propose that we update section 8.1 to distinguish between root transfers
> and acquisition of or investment in a CA organization, with the latter
> cases allowing issuance to continue during the discussion period.
>
> During the earlier discussion on this topic [1], it was also proposed that
> we require the receiving or acquiring company to make no changes during the
> discussion period and that we require all material changes anticipated as a
> result of the investment or acquisition to be publicly disclosed by the CA.
>
> This is: https://github.com/mozilla/pkipolicy/issues/109
>
> [1]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/AvGlsb4BAZo/
> gQe5ggE6BQAJ


I'm having a little bit of difficulty imagining what you see the change
looking like. Do you have draft text in mind, to look for possible
exploitable loopholes?

On its face, it sounds reasonable, but it seems the wording will be tricky
to get right.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.6 Proposal: Permit issuance during change in ownership

2018-03-26 Thread Wayne Thayer via dev-security-policy

When the Francisco Partners acquisition of Comodo was announced, it was
pointed out [1] that a strict reading of the current policy section 8.1
would have forced Comodo to stop issuing certificates for some period of
time:

If the receiving or acquiring company is new to the Mozilla root program,
> there MUST be a public discussion regarding their admittance to the root
> program, which Mozilla must resolve with a positive conclusion before
> issuance is permitted.
>

I propose that we update section 8.1 to distinguish between root transfers
and acquisition of or investment in a CA organization, with the latter
cases allowing issuance to continue during the discussion period.

During the earlier discussion on this topic [1], it was also proposed that
we require the receiving or acquiring company to make no changes during the
discussion period and that we require all material changes anticipated as a
result of the investment or acquisition to be publicly disclosed by the CA.

This is: https://github.com/mozilla/pkipolicy/issues/109

[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/AvGlsb4BAZo/gQe5ggE6BQAJ
---

This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
is consent.

Policy 2.5 (current version):
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Permit issuance during change in ownership

Re: Policy 2.6 Proposal: Permit issuance during change in ownership

Re: Policy 2.6 Proposal: Permit issuance during change in ownership

Re: Policy 2.6 Proposal: Permit issuance during change in ownership

Policy 2.6 Proposal: Permit issuance during change in ownership

5 matches

Site Navigation

Mail list logo

Footer information