Re: Policy 2.6 Proposal: Permit issuance during change in ownership
On Thu, Mar 29, 2018 at 2:12 PM, Ryan Sleeviwrote: > > > On Thu, Mar 29, 2018 at 4:03 PM, Wayne Thayer wrote: > >> On Thu, Mar 29, 2018 at 8:53 AM, Ryan Sleevi wrote: >> >>> >>> On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy < >>> dev-security-policy@lists.mozilla.org> wrote: >>> When the Francisco Partners acquisition of Comodo was announced, it was pointed out [1] that a strict reading of the current policy section 8.1 would have forced Comodo to stop issuing certificates for some period of time: If the receiving or acquiring company is new to the Mozilla root program, > there MUST be a public discussion regarding their admittance to the root > program, which Mozilla must resolve with a positive conclusion before > issuance is permitted. > I propose that we update section 8.1 to distinguish between root transfers and acquisition of or investment in a CA organization, with the latter cases allowing issuance to continue during the discussion period. During the earlier discussion on this topic [1], it was also proposed that we require the receiving or acquiring company to make no changes during the discussion period and that we require all material changes anticipated as a result of the investment or acquisition to be publicly disclosed by the CA. This is: https://github.com/mozilla/pkipolicy/issues/109 [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/ AvGlsb4BAZo/gQe5ggE6BQAJ >>> >>> >>> I'm having a little bit of difficulty imagining what you see the change >>> looking like. Do you have draft text in mind, to look for possible >>> exploitable loopholes? >>> >>> Here's a proposal: https://github.com/mozilla/pki >> policy/commit/565250b9bbc16c1a4e3d4165f0171e8702b2b21d >> > > Thanks, that's much easier to visualize. > > I think it's a positive change, but it may be worth emphasizing that a > complete change in ownership does not otherwise exempt a CA from the other > reporting - such as changes in operational personnel, material changes in > the CA's operations (CP/CPS), etc. This is covered by Section 8.2 and 8 > overall, so it may not bear mentioning explicitly, or it may be worth > noting that the receiving or acquiring company will be bound by the policy, > in full, including any notifications of further changes. > To address this comment, I added the statement "...it must comply with the entirety of this policy...". With both changes, section 8.1 would read as follows: > This section applies when one company buys or takes a controlling stake in > a CA, or when an organization buys the private key of a certificate in > Mozilla's root program. > > Mozilla MUST be notified of any resulting changes in the CA's CP or CPS. > > If the receiving or acquiring company is new to the Mozilla root program, > it must comply with the entirety of this policy and there MUST be a public > discussion regarding their admittance to the root program, which Mozilla > must resolve with a positive conclusion in order for the affected > certificate(s) to remain in the root program. If the entire CA operation is > not included in the scope of the transaction, issuance is not permitted > until the discussion has been resolved with a positive conclusion. > Unless there are further comments on this topic, I'll include this change in version 2.6 - Wayne ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Permit issuance during change in ownership
On Thu, Mar 29, 2018 at 4:03 PM, Wayne Thayerwrote: > On Thu, Mar 29, 2018 at 8:53 AM, Ryan Sleevi wrote: > >> >> On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> When the Francisco Partners acquisition of Comodo was announced, it was >>> pointed out [1] that a strict reading of the current policy section 8.1 >>> would have forced Comodo to stop issuing certificates for some period of >>> time: >>> >>> If the receiving or acquiring company is new to the Mozilla root program, >>> > there MUST be a public discussion regarding their admittance to the >>> root >>> > program, which Mozilla must resolve with a positive conclusion before >>> > issuance is permitted. >>> > >>> >>> I propose that we update section 8.1 to distinguish between root >>> transfers >>> and acquisition of or investment in a CA organization, with the latter >>> cases allowing issuance to continue during the discussion period. >>> >>> During the earlier discussion on this topic [1], it was also proposed >>> that >>> we require the receiving or acquiring company to make no changes during >>> the >>> discussion period and that we require all material changes anticipated >>> as a >>> result of the investment or acquisition to be publicly disclosed by the >>> CA. >>> >>> This is: https://github.com/mozilla/pkipolicy/issues/109 >>> >>> [1] >>> https://groups.google.com/d/msg/mozilla.dev.security.policy/ >>> AvGlsb4BAZo/gQe5ggE6BQAJ >> >> >> I'm having a little bit of difficulty imagining what you see the change >> looking like. Do you have draft text in mind, to look for possible >> exploitable loopholes? >> >> Here's a proposal: https://github.com/mozilla/pkipolicy/commit/ > 565250b9bbc16c1a4e3d4165f0171e8702b2b21d > Thanks, that's much easier to visualize. I think it's a positive change, but it may be worth emphasizing that a complete change in ownership does not otherwise exempt a CA from the other reporting - such as changes in operational personnel, material changes in the CA's operations (CP/CPS), etc. This is covered by Section 8.2 and 8 overall, so it may not bear mentioning explicitly, or it may be worth noting that the receiving or acquiring company will be bound by the policy, in full, including any notifications of further changes. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Permit issuance during change in ownership
On Thu, Mar 29, 2018 at 8:53 AM, Ryan Sleeviwrote: > > On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> When the Francisco Partners acquisition of Comodo was announced, it was >> pointed out [1] that a strict reading of the current policy section 8.1 >> would have forced Comodo to stop issuing certificates for some period of >> time: >> >> If the receiving or acquiring company is new to the Mozilla root program, >> > there MUST be a public discussion regarding their admittance to the root >> > program, which Mozilla must resolve with a positive conclusion before >> > issuance is permitted. >> > >> >> I propose that we update section 8.1 to distinguish between root transfers >> and acquisition of or investment in a CA organization, with the latter >> cases allowing issuance to continue during the discussion period. >> >> During the earlier discussion on this topic [1], it was also proposed that >> we require the receiving or acquiring company to make no changes during >> the >> discussion period and that we require all material changes anticipated as >> a >> result of the investment or acquisition to be publicly disclosed by the >> CA. >> >> This is: https://github.com/mozilla/pkipolicy/issues/109 >> >> [1] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/ >> AvGlsb4BAZo/gQe5ggE6BQAJ > > > I'm having a little bit of difficulty imagining what you see the change > looking like. Do you have draft text in mind, to look for possible > exploitable loopholes? > > Here's a proposal: https://github.com/mozilla/pkipolicy/commit/565250b9bbc16c1a4e3d4165f0171e8702b2b21d On its face, it sounds reasonable, but it seems the wording will be tricky > to get right. > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Policy 2.6 Proposal: Permit issuance during change in ownership
On Mon, Mar 26, 2018 at 3:46 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > When the Francisco Partners acquisition of Comodo was announced, it was > pointed out [1] that a strict reading of the current policy section 8.1 > would have forced Comodo to stop issuing certificates for some period of > time: > > If the receiving or acquiring company is new to the Mozilla root program, > > there MUST be a public discussion regarding their admittance to the root > > program, which Mozilla must resolve with a positive conclusion before > > issuance is permitted. > > > > I propose that we update section 8.1 to distinguish between root transfers > and acquisition of or investment in a CA organization, with the latter > cases allowing issuance to continue during the discussion period. > > During the earlier discussion on this topic [1], it was also proposed that > we require the receiving or acquiring company to make no changes during the > discussion period and that we require all material changes anticipated as a > result of the investment or acquisition to be publicly disclosed by the CA. > > This is: https://github.com/mozilla/pkipolicy/issues/109 > > [1] > https://groups.google.com/d/msg/mozilla.dev.security.policy/AvGlsb4BAZo/ > gQe5ggE6BQAJ I'm having a little bit of difficulty imagining what you see the change looking like. Do you have draft text in mind, to look for possible exploitable loopholes? On its face, it sounds reasonable, but it seems the wording will be tricky to get right. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Policy 2.6 Proposal: Permit issuance during change in ownership
When the Francisco Partners acquisition of Comodo was announced, it was pointed out [1] that a strict reading of the current policy section 8.1 would have forced Comodo to stop issuing certificates for some period of time: If the receiving or acquiring company is new to the Mozilla root program, > there MUST be a public discussion regarding their admittance to the root > program, which Mozilla must resolve with a positive conclusion before > issuance is permitted. > I propose that we update section 8.1 to distinguish between root transfers and acquisition of or investment in a CA organization, with the latter cases allowing issuance to continue during the discussion period. During the earlier discussion on this topic [1], it was also proposed that we require the receiving or acquiring company to make no changes during the discussion period and that we require all material changes anticipated as a result of the investment or acquisition to be publicly disclosed by the CA. This is: https://github.com/mozilla/pkipolicy/issues/109 [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/AvGlsb4BAZo/gQe5ggE6BQAJ --- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy