Re: Francisco Partners acquires Comodo certificate authority business

[Peter Bachman via dev-security-policy]

On Tuesday, October 31, 2017 at 9:22:09 AM UTC-4, Kyle Hamilton wrote:
> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business

I did a little spot check. So yes they hired a person who was involved with 
Entrust, so that is a plus. The website says it is an IP carve out. OK. Does 
this translate into knowledge so a consumer can make a rational trust decision?

I looked at their most recent CPS while shopping for a client email certificate.

3.2.7.1.
Personal Secure Email Certificate
The only identifying information in the subject DN is the email address of t
he Subscriber. Comodo validates the right for the Applicant to use the 
submitted email address. This is achieved through 
the delivery via a challenge and response made to the email address submitted 
during the  Certificate application.
Comodo validates that the Applicant holds the private key corresponding with a 
public key to be included in the Certificate by utilizing an online enrollment 
process whereby Comodo facilitates the Subscriber generating its key
pair using a specially crafted web page.  The key pair is 
generated in the Subscriber’s computer.  The private key is not exported or 
transferred from the Subscriber’s computer as part of the application process.

This was previously "Free" and now is billed at $12, but no matter. I clicked 
on the chat window and spoke to a technical support rep. I asked what NIST 
Level of Assurance was the S/MIME certificate, after about 10 minutes I got the 
answer, which was LOA 3. 

So as a consumer I was just told I could get a NIST LOA 3 S/MIME client and 
signing certificate for $12, that according to the website also would be 
trusted by Mozilla, etc. Of course I know that's not possible, and we can't 
always expect random support people to give the right answer. So what is the 
value add here from Francisco Partners, other than the previously "Free" 
certificate is now $12 and claimed to be at LOA 3?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Francisco Partners acquires Comodo certificate authority business

[Kathleen Wilson via dev-security-policy]

On 11/1/17 12:22 PM, westmai...@gmail.com wrote:

Hello,

Why you're removed the post of Peter Gutmann (Nov. 1, 2017, 4:08)?

If I understand correctly, at the time of the public discussion for new root 
certificates SSL.com (RA Comodo) Mozilla concealed information about the 
acquisition of SSL business of Comodo and that now the past public discussion 
about new root certificates SSL.com can be considered incorrect on this moment 
of time.

Regards,
Andrew.




Please forward the missing email from Peter Gutmann to me.

I do not know if it is related, but we have been experiencing problems 
with groups.google.com:


https://bugzilla.mozilla.org/show_bug.cgi?id=1412993

Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Francisco Partners acquires Comodo certificate authority business

[Paul Kehrer via dev-security-policy]

On November 1, 2017 at 2:23:17 PM, westmail24--- via dev-security-policy (
dev-security-policy@lists.mozilla.org) wrote:

Hello,


If I understand correctly, at the time of the public discussion for new
root certificates SSL.com (RA Comodo) Mozilla concealed information about
the acquisition of SSL business of Comodo and that now the past public
discussion about new root certificates SSL.com can be considered incorrect
on this moment of time.


I don't think it's going to be a productive avenue of discussion to imply
Mozilla acted in bad faith with regard to private knowledge of an impending
sale.

If people are seriously concerned by these sorts of transactions I'd urge
them to participate in discussions around mandatory CT as that provides
technical means to document the hypothetical malfeasance they're concerned
about.

-Paul
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Francisco Partners acquires Comodo certificate authority business

[westmail24--- via dev-security-policy]

Hello,

Why you're removed the post of Peter Gutmann (Nov. 1, 2017, 4:08)?

If I understand correctly, at the time of the public discussion for new root 
certificates SSL.com (RA Comodo) Mozilla concealed information about the 
acquisition of SSL business of Comodo and that now the past public discussion 
about new root certificates SSL.com can be considered incorrect on this moment 
of time.

Regards,
Andrew.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Francisco Partners acquires Comodo certificate authority business

[Robin Alden via dev-security-policy]

Peter,
As you noted in your post to the cryptography list, Francisco
Partners' website states that they exited from their investment in Blue
Coat.
https://www.franciscopartners.com/investments/blue-coat?sector=Comms-Securit
y=1200

Regards
Robin Alden
Comodo

> -Original Message-
> From: Peter Gutmann
> via dev-security-policy
> Sent: 01 November 2017 04:08
> To: mozilla-dev-security-pol...@lists.mozilla.org; m...@flanga.io
> Subject: Re: Francisco Partners acquires Comodo certificate authority
business
> 
> mw--- via dev-security-policy <dev-security-policy@lists.mozilla.org>
writes:
> 
> >So they sell multiple roots over to a company that is "the leader in Deep
> >Packet Inspection (DPI) and we've got a lot going on in that space" and
> >enable them to issue trusted certificates and mitm all encrypted
connections
> >with that? That is a good halloween joke!
> 
> Francisco Partners is more a general investment company, but in that
regard
> they also have a stake in firms like Blue Coat, whose products have been
used
> by repressive regimes against their citizens.
> 
> Still, it's amusing that a perfect mechanism for performing MITM attacks
is
> now controlled by a company who has other arms that actively perform MITM
> attacks.
> 
> Peter.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Francisco Partners acquires Comodo certificate authority business

[Robin Alden via dev-security-policy]

> -Original Message-
> From: Gerv
> Subject: Re: Francisco Partners acquires Comodo certificate authority
business
> 
> On 31/10/17 13:21, Kyle Hamilton wrote:
> > http://www.eweek.com/security/francisco-partners-acquires-comodo-s-
> certificate-authority-business
> 
> Comodo notified Mozilla of this impending acquisition privately in
> advance, and requested confidentiality, which we granted. Now that the
> acquisition is public, it is reasonable for the community to have a
> discussion about the implications for Mozilla's trust of Comodo, if any.

http://www.businesswire.com/news/home/20171031005584/en/Francisco-Partners-A
nnounces-Acquisition-Comodo%E2%80%99s-Certificate-Authority

We can confirm that a majority stake in Comodo CA Ltd. has been acquired by
Francisco Partners.

The deal has closed, i.e. the transaction is complete.

We are conscious of the requirements of section 8 of the Mozilla Root Store
Policy.

As you have seen from the announcement, we have a new CEO and new Chairman
who have prior experience in managing a trusted CA organization.

There are to be no resultant changes to our CPS, our operations, our
business policies or procedures, or the secure locations from which we
operate our CA infrastructure.

The operational personnel in Comodo CA Limited will not change.  The
certificate validation teams will remain unchanged.

Regards
Robin Alden & Rob Stradling
Comodo CA Ltd.

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Francisco Partners acquires Comodo certificate authority business

[Gervase Markham via dev-security-policy]

On 31/10/17 13:21, Kyle Hamilton wrote:
> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business

Comodo notified Mozilla of this impending acquisition privately in
advance, and requested confidentiality, which we granted. Now that the
acquisition is public, it is reasonable for the community to have a
discussion about the implications for Mozilla's trust of Comodo, if any.

However, there is also another wrinkle to iron out. Our policy 2.5 says:
"If the receiving or acquiring company is new to the Mozilla root
program, there MUST be a public discussion regarding their admittance to
the root program, which Mozilla must resolve with a positive conclusion
before issuance is permitted."

I personally feel that this is a bug, in that technically it says that
as soon as a deal closes and is announced, the CA has to stop issuance
entirely until the Mozilla community has had a discussion and given the
OK. I believe that's not reasonable and would create massive business
disruption if the letter of that rule were enforced strictly. I think
that when we wrote the policy, we didn't anticipate the situation where
the buyer would be confidential until closing. (Compare Digimantec,
where it's not.)

So it would also be useful to have a discussion about what this section
of the policy should actually say.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Francisco Partners acquires Comodo certificate authority business

[Peter Kurrasch via dev-security-policy]

  The timing and content of any announcement is undoubtedly complicated, caused, in no small part, by legitimate needs for confidentiality against the goals of transparency. I have every reason to trust in the good judgment of Gerv and Kathleen in navigating that path with the interests of this community in mind. If there is more they are able to say on this matter, I hope that they will; if not, I will understand.That said, I ‎hope someone will indeed say more about the reporting in these articles. There are 2 issues in particular that I think would be good to address at this time. The first is the use of the past tense (e.g. "has acquired") regarding the reported transaction. How much of the acquisition process has, in fact, transpired--if anything?The second is ‎the meager explanation of what has transpired or is expected to transpire--again, if anything. Based on my understanding, there is (or will be) a change of legal ownership and leadership. Accordingly, is a review of the new ownership warranted? Bringing together a CA with a Deep Packet Inspection business certainly is...uncomfortable.It is my sincere hope that someone will come forward and provide some clarity, even if just to say this is fake news.   From: Ryan SleeviSent: Tuesday, October 31, 2017 2:59 PM‎To: Peter KurraschReply To: r...@sleevi.comCc: mozilla-dev-security-policySubject: Re: Francisco Partners acquires Comodo certificate authority businessOn Tue, Oct 31, 2017 at 3:44 PM, Peter Kurrasch via dev-security-policy  wrote:  Both articles are long on names, short on dates. I don't fault the authors for that but it is troubling that better information wasn't made available to them.When can we expect a proper announcement in this forum? I would expect any such announcement to provide details on the skills and experience that this new leadership team has in running a CA. ‎For example, are they aware of section 8 of the Mozilla Root Store Policy?Such announcements are not part of the Mozilla Policy expectations. Could you clarify why you expect such an announcement? 

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Francisco Partners acquires Comodo certificate authority business

[Peter Gutmann via dev-security-policy]

mw--- via dev-security-policy  writes:

>So they sell multiple roots over to a company that is "the leader in Deep
>Packet Inspection (DPI) and we've got a lot going on in that space" and
>enable them to issue trusted certificates and mitm all encrypted connections
>with that? That is a good halloween joke!

Francisco Partners is more a general investment company, but in that regard
they also have a stake in firms like Blue Coat, whose products have been used
by repressive regimes against their citizens.

Still, it's amusing that a perfect mechanism for performing MITM attacks is
now controlled by a company who has other arms that actively perform MITM
attacks.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Francisco Partners acquires Comodo certificate authority business

[Ryan Sleevi via dev-security-policy]

You didn't really leave room for productive discussion between your
options, did you? :)

As you can see from
https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#8-ca-operational-changes
, notification is required for certain changes - but that notification goes
to a Mozilla mail alias, not to the public lists. As such, one should not
presume that because of a lack of public discussion, there was a lack of
notice.

With respect to "rumor mill reported as fact", considering the people named
in the first article you mentioned include the CEO of Comodo CA and the
Chairman of the Board, it seems that the only way this would be "rumor
mill" is based on whether or not eweek and securityweek are reputable
organizations, right?

On Tue, Oct 31, 2017 at 1:51 PM, Kyle Hamilton via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Another article about this is http://www.securityweek.com/fr
> ancisco-partners-acquires-comodo-ca .
>
> Notably, I'm not seeing anything in the official news announcements pages
> for either Francisco Partners or Comodo.  Is this an attempt at another
> StartCom (silent ownership transfer), or is it a case of "rumor mill
> reported as fact"?
>
> -Kyle H
>
>
>
> On 2017-10-31 06:21, Kyle Hamilton wrote:
>
>> http://www.eweek.com/security/francisco-partners-acquires-co
>> modo-s-certificate-authority-business
>>
>>
>>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Francisco Partners acquires Comodo certificate authority business

[Peter Kurrasch via dev-security-policy]

  Both articles are long on names, short on dates. I don't fault the authors for that but it is troubling that better information wasn't made available to them.When can we expect a proper announcement in this forum? I would expect any such announcement to provide details on the skills and experience that this new leadership team has in running a CA. ‎For example, are they aware of section 8 of the Mozilla Root Store Policy?From: Kyle Hamilton via dev-security-policySent: Tuesday, October 31, 2017 12:51 PMTo: mozilla-dev-security-pol...@lists.mozilla.orgReply To: Kyle HamiltonSubject: Re: Francisco Partners acquires Comodo certificate authority businessAnother article about this is http://www.securityweek.com/francisco-partners-acquires-comodo-ca .Notably, I'm not seeing anything in the official news announcements pages for either Francisco Partners or Comodo.  Is this an attempt at another StartCom (silent ownership transfer), or is it a case of "rumor mill reported as fact"?-Kyle HOn 2017-10-31 06:21, Kyle Hamilton wrote:> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business >>>___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Francisco Partners acquires Comodo certificate authority business

[Kyle Hamilton via dev-security-policy]

Another article about this is 
http://www.securityweek.com/francisco-partners-acquires-comodo-ca .


Notably, I'm not seeing anything in the official news announcements 
pages for either Francisco Partners or Comodo.  Is this an attempt at 
another StartCom (silent ownership transfer), or is it a case of "rumor 
mill reported as fact"?


-Kyle H


On 2017-10-31 06:21, Kyle Hamilton wrote:
http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business 






___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy