Re: Francisco Partners acquires Comodo certificate authority business
On Tuesday, October 31, 2017 at 9:22:09 AM UTC-4, Kyle Hamilton wrote: > http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business I did a little spot check. So yes they hired a person who was involved with Entrust, so that is a plus. The website says it is an IP carve out. OK. Does this translate into knowledge so a consumer can make a rational trust decision? I looked at their most recent CPS while shopping for a client email certificate. 3.2.7.1. Personal Secure Email Certificate The only identifying information in the subject DN is the email address of t he Subscriber. Comodo validates the right for the Applicant to use the submitted email address. This is achieved through the delivery via a challenge and response made to the email address submitted during the Certificate application. Comodo validates that the Applicant holds the private key corresponding with a public key to be included in the Certificate by utilizing an online enrollment process whereby Comodo facilitates the Subscriber generating its key pair using a specially crafted web page. The key pair is generated in the Subscriber’s computer. The private key is not exported or transferred from the Subscriber’s computer as part of the application process. This was previously "Free" and now is billed at $12, but no matter. I clicked on the chat window and spoke to a technical support rep. I asked what NIST Level of Assurance was the S/MIME certificate, after about 10 minutes I got the answer, which was LOA 3. So as a consumer I was just told I could get a NIST LOA 3 S/MIME client and signing certificate for $12, that according to the website also would be trusted by Mozilla, etc. Of course I know that's not possible, and we can't always expect random support people to give the right answer. So what is the value add here from Francisco Partners, other than the previously "Free" certificate is now $12 and claimed to be at LOA 3? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Francisco Partners acquires Comodo certificate authority business
On 11/1/17 12:22 PM, westmai...@gmail.com wrote: Hello, Why you're removed the post of Peter Gutmann (Nov. 1, 2017, 4:08)? If I understand correctly, at the time of the public discussion for new root certificates SSL.com (RA Comodo) Mozilla concealed information about the acquisition of SSL business of Comodo and that now the past public discussion about new root certificates SSL.com can be considered incorrect on this moment of time. Regards, Andrew. Please forward the missing email from Peter Gutmann to me. I do not know if it is related, but we have been experiencing problems with groups.google.com: https://bugzilla.mozilla.org/show_bug.cgi?id=1412993 Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Francisco Partners acquires Comodo certificate authority business
On November 1, 2017 at 2:23:17 PM, westmail24--- via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: Hello, If I understand correctly, at the time of the public discussion for new root certificates SSL.com (RA Comodo) Mozilla concealed information about the acquisition of SSL business of Comodo and that now the past public discussion about new root certificates SSL.com can be considered incorrect on this moment of time. I don't think it's going to be a productive avenue of discussion to imply Mozilla acted in bad faith with regard to private knowledge of an impending sale. If people are seriously concerned by these sorts of transactions I'd urge them to participate in discussions around mandatory CT as that provides technical means to document the hypothetical malfeasance they're concerned about. -Paul ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Francisco Partners acquires Comodo certificate authority business
Hello, Why you're removed the post of Peter Gutmann (Nov. 1, 2017, 4:08)? If I understand correctly, at the time of the public discussion for new root certificates SSL.com (RA Comodo) Mozilla concealed information about the acquisition of SSL business of Comodo and that now the past public discussion about new root certificates SSL.com can be considered incorrect on this moment of time. Regards, Andrew. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Francisco Partners acquires Comodo certificate authority business
Peter, As you noted in your post to the cryptography list, Francisco Partners' website states that they exited from their investment in Blue Coat. https://www.franciscopartners.com/investments/blue-coat?sector=Comms-Securit y=1200 Regards Robin Alden Comodo > -Original Message- > From: Peter Gutmann > via dev-security-policy > Sent: 01 November 2017 04:08 > To: mozilla-dev-security-pol...@lists.mozilla.org; m...@flanga.io > Subject: Re: Francisco Partners acquires Comodo certificate authority business > > mw--- via dev-security-policy <dev-security-policy@lists.mozilla.org> writes: > > >So they sell multiple roots over to a company that is "the leader in Deep > >Packet Inspection (DPI) and we've got a lot going on in that space" and > >enable them to issue trusted certificates and mitm all encrypted connections > >with that? That is a good halloween joke! > > Francisco Partners is more a general investment company, but in that regard > they also have a stake in firms like Blue Coat, whose products have been used > by repressive regimes against their citizens. > > Still, it's amusing that a perfect mechanism for performing MITM attacks is > now controlled by a company who has other arms that actively perform MITM > attacks. > > Peter. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Francisco Partners acquires Comodo certificate authority business
> -Original Message- > From: Gerv > Subject: Re: Francisco Partners acquires Comodo certificate authority business > > On 31/10/17 13:21, Kyle Hamilton wrote: > > http://www.eweek.com/security/francisco-partners-acquires-comodo-s- > certificate-authority-business > > Comodo notified Mozilla of this impending acquisition privately in > advance, and requested confidentiality, which we granted. Now that the > acquisition is public, it is reasonable for the community to have a > discussion about the implications for Mozilla's trust of Comodo, if any. http://www.businesswire.com/news/home/20171031005584/en/Francisco-Partners-A nnounces-Acquisition-Comodo%E2%80%99s-Certificate-Authority We can confirm that a majority stake in Comodo CA Ltd. has been acquired by Francisco Partners. The deal has closed, i.e. the transaction is complete. We are conscious of the requirements of section 8 of the Mozilla Root Store Policy. As you have seen from the announcement, we have a new CEO and new Chairman who have prior experience in managing a trusted CA organization. There are to be no resultant changes to our CPS, our operations, our business policies or procedures, or the secure locations from which we operate our CA infrastructure. The operational personnel in Comodo CA Limited will not change. The certificate validation teams will remain unchanged. Regards Robin Alden & Rob Stradling Comodo CA Ltd. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Francisco Partners acquires Comodo certificate authority business
On 31/10/17 13:21, Kyle Hamilton wrote: > http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business Comodo notified Mozilla of this impending acquisition privately in advance, and requested confidentiality, which we granted. Now that the acquisition is public, it is reasonable for the community to have a discussion about the implications for Mozilla's trust of Comodo, if any. However, there is also another wrinkle to iron out. Our policy 2.5 says: "If the receiving or acquiring company is new to the Mozilla root program, there MUST be a public discussion regarding their admittance to the root program, which Mozilla must resolve with a positive conclusion before issuance is permitted." I personally feel that this is a bug, in that technically it says that as soon as a deal closes and is announced, the CA has to stop issuance entirely until the Mozilla community has had a discussion and given the OK. I believe that's not reasonable and would create massive business disruption if the letter of that rule were enforced strictly. I think that when we wrote the policy, we didn't anticipate the situation where the buyer would be confidential until closing. (Compare Digimantec, where it's not.) So it would also be useful to have a discussion about what this section of the policy should actually say. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Francisco Partners acquires Comodo certificate authority business
The timing and content of any announcement is undoubtedly complicated, caused, in no small part, by legitimate needs for confidentiality against the goals of transparency. I have every reason to trust in the good judgment of Gerv and Kathleen in navigating that path with the interests of this community in mind. If there is more they are able to say on this matter, I hope that they will; if not, I will understand.That said, I hope someone will indeed say more about the reporting in these articles. There are 2 issues in particular that I think would be good to address at this time. The first is the use of the past tense (e.g. "has acquired") regarding the reported transaction. How much of the acquisition process has, in fact, transpired--if anything?The second is the meager explanation of what has transpired or is expected to transpire--again, if anything. Based on my understanding, there is (or will be) a change of legal ownership and leadership. Accordingly, is a review of the new ownership warranted? Bringing together a CA with a Deep Packet Inspection business certainly is...uncomfortable.It is my sincere hope that someone will come forward and provide some clarity, even if just to say this is fake news. From: Ryan SleeviSent: Tuesday, October 31, 2017 2:59 PMTo: Peter KurraschReply To: r...@sleevi.comCc: mozilla-dev-security-policySubject: Re: Francisco Partners acquires Comodo certificate authority businessOn Tue, Oct 31, 2017 at 3:44 PM, Peter Kurrasch via dev-security-policywrote: Both articles are long on names, short on dates. I don't fault the authors for that but it is troubling that better information wasn't made available to them.When can we expect a proper announcement in this forum? I would expect any such announcement to provide details on the skills and experience that this new leadership team has in running a CA. For example, are they aware of section 8 of the Mozilla Root Store Policy?Such announcements are not part of the Mozilla Policy expectations. Could you clarify why you expect such an announcement? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Francisco Partners acquires Comodo certificate authority business
mw--- via dev-security-policywrites: >So they sell multiple roots over to a company that is "the leader in Deep >Packet Inspection (DPI) and we've got a lot going on in that space" and >enable them to issue trusted certificates and mitm all encrypted connections >with that? That is a good halloween joke! Francisco Partners is more a general investment company, but in that regard they also have a stake in firms like Blue Coat, whose products have been used by repressive regimes against their citizens. Still, it's amusing that a perfect mechanism for performing MITM attacks is now controlled by a company who has other arms that actively perform MITM attacks. Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Francisco Partners acquires Comodo certificate authority business
You didn't really leave room for productive discussion between your options, did you? :) As you can see from https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#8-ca-operational-changes , notification is required for certain changes - but that notification goes to a Mozilla mail alias, not to the public lists. As such, one should not presume that because of a lack of public discussion, there was a lack of notice. With respect to "rumor mill reported as fact", considering the people named in the first article you mentioned include the CEO of Comodo CA and the Chairman of the Board, it seems that the only way this would be "rumor mill" is based on whether or not eweek and securityweek are reputable organizations, right? On Tue, Oct 31, 2017 at 1:51 PM, Kyle Hamilton via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Another article about this is http://www.securityweek.com/fr > ancisco-partners-acquires-comodo-ca . > > Notably, I'm not seeing anything in the official news announcements pages > for either Francisco Partners or Comodo. Is this an attempt at another > StartCom (silent ownership transfer), or is it a case of "rumor mill > reported as fact"? > > -Kyle H > > > > On 2017-10-31 06:21, Kyle Hamilton wrote: > >> http://www.eweek.com/security/francisco-partners-acquires-co >> modo-s-certificate-authority-business >> >> >> > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Francisco Partners acquires Comodo certificate authority business
Both articles are long on names, short on dates. I don't fault the authors for that but it is troubling that better information wasn't made available to them.When can we expect a proper announcement in this forum? I would expect any such announcement to provide details on the skills and experience that this new leadership team has in running a CA. For example, are they aware of section 8 of the Mozilla Root Store Policy?From: Kyle Hamilton via dev-security-policySent: Tuesday, October 31, 2017 12:51 PMTo: mozilla-dev-security-pol...@lists.mozilla.orgReply To: Kyle HamiltonSubject: Re: Francisco Partners acquires Comodo certificate authority businessAnother article about this is http://www.securityweek.com/francisco-partners-acquires-comodo-ca .Notably, I'm not seeing anything in the official news announcements pages for either Francisco Partners or Comodo. Is this an attempt at another StartCom (silent ownership transfer), or is it a case of "rumor mill reported as fact"?-Kyle HOn 2017-10-31 06:21, Kyle Hamilton wrote:> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business >>>___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Francisco Partners acquires Comodo certificate authority business
Another article about this is http://www.securityweek.com/francisco-partners-acquires-comodo-ca . Notably, I'm not seeing anything in the official news announcements pages for either Francisco Partners or Comodo. Is this an attempt at another StartCom (silent ownership transfer), or is it a case of "rumor mill reported as fact"? -Kyle H On 2017-10-31 06:21, Kyle Hamilton wrote: http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy