Re: Sectigo to Be Acquired by GI Partners

2020-10-16 Thread Rob Stradling via dev-security-policy
Jakob wrote:
> The part needing clarification started with:
>
> > In addition to the questions posted by Wayne, I think it'd be useful
> > to confirm:
> > ...

I did not address that part of Ryan's post, but Tim's delayed message did 
address it.

See 
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13782.html
and 
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13795.html

The only​ purpose of my post was to say that Tim had posted a message that (we 
believed) had got stuck in a moderation queue.  I felt that I needed to post my 
message because Mozilla expects CAs to answer questions in a timely fashion 
(see https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed).

When a reply from a CA representative doesn't appear on the list, it might look 
like the CA is not answering questions in a timely fashion.  It would not be 
fair for any CA to be penalized just because there's a moderation queue for 
some messages and/or participants.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-16 Thread Jakob Bohm via dev-security-policy

On 2020-10-16 12:33, Rob Stradling wrote:

...clarification of what meaning was intended.


Merely this...

"Hi Ryan.  Tim Callan posted a reply to your questions last week, but his message 
has not yet appeared on the list.  Is it stuck in a moderation queue?"



The part needing clarification started with:

> In addition to the questions posted by Wayne, I think it'd be useful
> to confirm:
> ...

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-16 Thread Rob Stradling via dev-security-policy
> ...clarification of what meaning was intended.

Merely this...

"Hi Ryan.  Tim Callan posted a reply to your questions last week, but his 
message has not yet appeared on the list.  Is it stuck in a moderation queue?"

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-15 Thread Jakob Bohm via dev-security-policy

On 2020-10-15 16:46, Rob Stradling wrote:

Hi Jacob.  I don't believe that this list mandates any particular posting style 
[https://en.wikipedia.org/wiki/Posting_style].

Although interleaved/inline posting is my preferred style, I'm stuck using 
Outlook365 as my mail client these days.  (Sadly, Thunderbird's usability 
worsened dramatically for me after Sectigo moved corporate email to Office365 a 
few years ago).  So this is the situation I find myself in...

"This widespread policy in business communication made bottom and inline posting so 
unknown among most users that some of the most popular email programs no longer support 
the traditional posting style. For example, Microsoft Outlook, AOL, and Yahoo! make it 
difficult or impossible to indicate which part of a message is the quoted original or do 
not let users insert comments between parts of the original."
[https://en.wikipedia.org/wiki/Posting_style#Quoting_support_in_popular_mail_clients]



I realized that the problem was caused by broken client software, and
was pointing out than in this case, it had led to a specific lack of
clarity and was asking for clarification of what meaning was intended.




From: dev-security-policy  on behalf 
of Jakob Bohm via dev-security-policy 
Sent: 12 October 2020 22:41
To: mozilla-dev-security-pol...@lists.mozilla.org 

Subject: Re: Sectigo to Be Acquired by GI Partners

Hi Rob,

The e-mail you quote below seems to be inadvertently "confirming" some
suspicions that someone else posed as questions. I think the group as a
whole would love to have actual specific answers to those original
questions.

Remember to always add an extra layer of ">" indents for each level of
message quoting, so as to not misattribute text.

On 2020-10-12 10:43, Rob Stradling wrote:

Hi Ryan.  Tim Callan posted a reply to your questions last week, but his 
message has not yet appeared on the list.  Is it stuck in a moderation queue?


From: dev-security-policy  on behalf 
of Ryan Sleevi via dev-security-policy 
Sent: 03 October 2020 22:16
To: Ben Wilson 
Cc: mozilla-dev-security-policy 
Subject: Re: Sectigo to Be Acquired by GI Partners


In a recent incident report [1], a representative of Sectigo noted:

The carve out from Comodo Group was a tough time for us. We had twenty

years’ worth of completely intertwined systems that had to be disentangled
ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of
employees that numbered well under half of what we needed to operate in any
reasonable fashion.



This referred to the previous split [2] of the Comodo CA business from the
rest of Comodo businesses, and rebranding as Sectigo.

In addition to the questions posted by Wayne, I think it'd be useful to
confirm:

1. Is it expected that there will be similar system and/or infrastructure
migrations as part of this? Sectigo's foresight of "no effect on its
operations" leaves it a bit ambiguous whether this is meant as "practical"
effect (e.g. requiring a change of CP/CS or effective policies) or whether
this is meant as no "operational" impact (e.g. things will change, but
there's no disruption anticipated). It'd be useful to frame this response
in terms of any anticipated changes at all (from mundane, like updating the
logos on the website, to significant, such as any procedure/equipment
changes), rather than observed effects.

2. Is there a risk that such an acquisition might further reduce the crew
of employees to an even smaller number? Perhaps not immediately, but over
time, say the next two years, such as "eliminating redundancies" or
"streamlining operations"? I recognize that there's an opportunity such an
acquisition might allow for greater investment and/or scale, and so don't
want to presume the negative, but it would be good to get a clear
commitment as to that, similar to other acquisitions in the past (e.g.
Symantec CA operations by DigiCert)

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21
[2]
https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ

On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


   As announced previously by Rob Stradling, there is an agreement for
private investment firm GI Partners, out of San Francisco, CA, to acquire
Sectigo. Press release:
https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners
.


I am treating this as a change of legal ownership covered by section 8.1
<
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership



of the Mozilla Root Store Policy, which states:


If the receiving or acquiring company is new to the Mozilla root program,
it must demonstrate compliance with the entirety

Re: Sectigo to Be Acquired by GI Partners

2020-10-15 Thread Rob Stradling via dev-security-policy
Hi Jacob.  I don't believe that this list mandates any particular posting style 
[https://en.wikipedia.org/wiki/Posting_style].

Although interleaved/inline posting is my preferred style, I'm stuck using 
Outlook365 as my mail client these days.  (Sadly, Thunderbird's usability 
worsened dramatically for me after Sectigo moved corporate email to Office365 a 
few years ago).  So this is the situation I find myself in...

"This widespread policy in business communication made bottom and inline 
posting so unknown among most users that some of the most popular email 
programs no longer support the traditional posting style. For example, 
Microsoft Outlook, AOL, and Yahoo! make it difficult or impossible to indicate 
which part of a message is the quoted original or do not let users insert 
comments between parts of the original."
[https://en.wikipedia.org/wiki/Posting_style#Quoting_support_in_popular_mail_clients]


From: dev-security-policy  on 
behalf of Jakob Bohm via dev-security-policy 

Sent: 12 October 2020 22:41
To: mozilla-dev-security-pol...@lists.mozilla.org 

Subject: Re: Sectigo to Be Acquired by GI Partners

Hi Rob,

The e-mail you quote below seems to be inadvertently "confirming" some
suspicions that someone else posed as questions. I think the group as a
whole would love to have actual specific answers to those original
questions.

Remember to always add an extra layer of ">" indents for each level of
message quoting, so as to not misattribute text.

On 2020-10-12 10:43, Rob Stradling wrote:
> Hi Ryan.  Tim Callan posted a reply to your questions last week, but his 
> message has not yet appeared on the list.  Is it stuck in a moderation queue?
>
> 
> From: dev-security-policy  on 
> behalf of Ryan Sleevi via dev-security-policy 
> 
> Sent: 03 October 2020 22:16
> To: Ben Wilson 
> Cc: mozilla-dev-security-policy 
> 
> Subject: Re: Sectigo to Be Acquired by GI Partners
>
>
> In a recent incident report [1], a representative of Sectigo noted:
>
> The carve out from Comodo Group was a tough time for us. We had twenty
>> years’ worth of completely intertwined systems that had to be disentangled
>> ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of
>> employees that numbered well under half of what we needed to operate in any
>> reasonable fashion.
>
>
> This referred to the previous split [2] of the Comodo CA business from the
> rest of Comodo businesses, and rebranding as Sectigo.
>
> In addition to the questions posted by Wayne, I think it'd be useful to
> confirm:
>
> 1. Is it expected that there will be similar system and/or infrastructure
> migrations as part of this? Sectigo's foresight of "no effect on its
> operations" leaves it a bit ambiguous whether this is meant as "practical"
> effect (e.g. requiring a change of CP/CS or effective policies) or whether
> this is meant as no "operational" impact (e.g. things will change, but
> there's no disruption anticipated). It'd be useful to frame this response
> in terms of any anticipated changes at all (from mundane, like updating the
> logos on the website, to significant, such as any procedure/equipment
> changes), rather than observed effects.
>
> 2. Is there a risk that such an acquisition might further reduce the crew
> of employees to an even smaller number? Perhaps not immediately, but over
> time, say the next two years, such as "eliminating redundancies" or
> "streamlining operations"? I recognize that there's an opportunity such an
> acquisition might allow for greater investment and/or scale, and so don't
> want to presume the negative, but it would be good to get a clear
> commitment as to that, similar to other acquisitions in the past (e.g.
> Symantec CA operations by DigiCert)
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21
> [2]
> https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ
>
> On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>>   As announced previously by Rob Stradling, there is an agreement for
>> private investment firm GI Partners, out of San Francisco, CA, to acquire
>> Sectigo. Press release:
>> https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners
>> .
>>
>>
>> I am treating this as a change of legal ownership covered by section 8.1
>> <
>> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership
>>>
>> of the Mozilla Root Store Policy, which sta

Re: Sectigo to Be Acquired by GI Partners

2020-10-15 Thread Tim Callan via dev-security-policy
On Monday, October 12, 2020 at 6:28:06 PM UTC-4, Matt Palmer wrote:
Matt,
 
We can accurately remove the word meaningful from the earlier statement:  We 
anticipate no changes required to policies, operations, or personnel.  If any 
changes do occur in the future, we will of course update our CPS and inform the 
community.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-12 Thread Matt Palmer via dev-security-policy
On Fri, Oct 09, 2020 at 06:33:22AM -0700, Tim Callan via dev-security-policy 
wrote:
> We anticipate no meaningful changes required to policies, operations, or 
> personnel.

[...]

> In this case the required changes are virtually nothing.

These statements concern me somewhat, as reasonable people may have
differing thresholds for "meaningful" and "virtually".  Whilst publicly
enumerating every possible change is impossible, I would urge Sectigo to err
on the side of caution when it comes to evaulating whether a change is
"meaningful".  Given Sectigo's long and storied history of failures to
meaningfully engage with the Mozilla community on Sectigo's misadventures, I
doubt there is much appetite for a future in which "oh, we didn't think
*that* was a meaningful change" figures heavily in incident reports.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-12 Thread Jakob Bohm via dev-security-policy

Hi Rob,

The e-mail you quote below seems to be inadvertently "confirming" some
suspicions that someone else posed as questions. I think the group as a
whole would love to have actual specific answers to those original
questions.

Remember to always add an extra layer of ">" indents for each level of
message quoting, so as to not misattribute text.

On 2020-10-12 10:43, Rob Stradling wrote:

Hi Ryan.  Tim Callan posted a reply to your questions last week, but his 
message has not yet appeared on the list.  Is it stuck in a moderation queue?


From: dev-security-policy  on behalf 
of Ryan Sleevi via dev-security-policy 
Sent: 03 October 2020 22:16
To: Ben Wilson 
Cc: mozilla-dev-security-policy 
Subject: Re: Sectigo to Be Acquired by GI Partners


In a recent incident report [1], a representative of Sectigo noted:

The carve out from Comodo Group was a tough time for us. We had twenty

years’ worth of completely intertwined systems that had to be disentangled
ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of
employees that numbered well under half of what we needed to operate in any
reasonable fashion.



This referred to the previous split [2] of the Comodo CA business from the
rest of Comodo businesses, and rebranding as Sectigo.

In addition to the questions posted by Wayne, I think it'd be useful to
confirm:

1. Is it expected that there will be similar system and/or infrastructure
migrations as part of this? Sectigo's foresight of "no effect on its
operations" leaves it a bit ambiguous whether this is meant as "practical"
effect (e.g. requiring a change of CP/CS or effective policies) or whether
this is meant as no "operational" impact (e.g. things will change, but
there's no disruption anticipated). It'd be useful to frame this response
in terms of any anticipated changes at all (from mundane, like updating the
logos on the website, to significant, such as any procedure/equipment
changes), rather than observed effects.

2. Is there a risk that such an acquisition might further reduce the crew
of employees to an even smaller number? Perhaps not immediately, but over
time, say the next two years, such as "eliminating redundancies" or
"streamlining operations"? I recognize that there's an opportunity such an
acquisition might allow for greater investment and/or scale, and so don't
want to presume the negative, but it would be good to get a clear
commitment as to that, similar to other acquisitions in the past (e.g.
Symantec CA operations by DigiCert)

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21
[2]
https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ

On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:


  As announced previously by Rob Stradling, there is an agreement for
private investment firm GI Partners, out of San Francisco, CA, to acquire
Sectigo. Press release:
https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners
.


I am treating this as a change of legal ownership covered by section 8.1
<
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership



of the Mozilla Root Store Policy, which states:


If the receiving or acquiring company is new to the Mozilla root program,
it must demonstrate compliance with the entirety of this policy and there
MUST be a public discussion regarding their admittance to the root

program,

which Mozilla must resolve with a positive conclusion in order for the
affected certificate(s) to remain in the root program.


In order to comply with policy, I hereby formally announce the commencement
of a 3-week discussion period for this change in legal ownership of Sectigo
by requesting thoughtful and constructive feedback from the community.

Sectigo has already stated that it foresees no effect on its operations due
to this ownership change, and I believe that the acquisition announced by
Sectigo and GI Partners is compliant with Mozilla policy.

Thanks,

Ben
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-12 Thread Tim Callan via dev-security-policy
On Saturday, October 3, 2020 at 5:16:41 PM UTC-4, Ryan Sleevi wrote:
> 1. Is it expected that there will be similar system and/or infrastructure 
> migrations as part of this? Sectigo's foresight of "no effect on its 
> operations" leaves it a bit ambiguous whether this is meant as "practical" 
> effect (e.g. requiring a change of CP/CS or effective policies) or whether 
> this is meant as no "operational" impact (e.g. things will change, but 
> there's no disruption anticipated). It'd be useful to frame this response 
> in terms of any anticipated changes at all (from mundane, like updating the 
> logos on the website, to significant, such as any procedure/equipment 
> changes), rather than observed effects. 

Sorry if our earlier message wasn’t clear. We foresee no disruptions, 
challenges, or special needs owing to the change of control. We anticipate no 
meaningful changes required to policies, operations, or personnel. This change 
of control is fundamentally different from the Comodo CA carve-out in that 
there is exactly one going-forward concern. When we broke away from Comodo 
Group, we had to disentangle systems, data, processes, offices, web sites, 
employee responsibilities, vendor relationships, contracts, and more.  In this 
case the required changes are virtually nothing. Our new ownership expects us 
to continue the arc the company is on now, including service offerings, brands, 
sites, etc.

> 2. Is there a risk that such an acquisition might further reduce the crew 
> of employees to an even smaller number? Perhaps not immediately, but over 
> time, say the next two years, such as "eliminating redundancies" or 
> "streamlining operations"? I recognize that there's an opportunity such an 
> acquisition might allow for greater investment and/or scale, and so don't 
> want to presume the negative, but it would be good to get a clear 
> commitment as to that, similar to other acquisitions in the past (e.g. 
> Symantec CA operations by DigiCert) 

There is nothing to suggest that such cuts are coming.  The reason the company 
that’s now called Sectigo started with what we described as a skeleton crew is 
that many employees who had been sometime contributors to the CA business wound 
up staying behind with Comodo Group.  We more than doubled the size of the 
company in the first year as we recruited to fill those gaps.  By way of 
example, of the ten executives listed on our Leadership page, only two of them 
were part of the business prior to the carve-out.

Once again, this time is radically different.  We have been growing in revenue 
and headcount, and there is no reason to expect any kind of contraction.  The 
new ownership at GI Partners has expressed the desire to see our continued 
growth, and we expect them to make the appropriate investments to fuel that.  
We have not had and do not anticipate any layoffs, “streamlining,” etc. as part 
of this change of control.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-12 Thread Rob Stradling via dev-security-policy
Hi Ryan.  Tim Callan posted a reply to your questions last week, but his 
message has not yet appeared on the list.  Is it stuck in a moderation queue?


From: dev-security-policy  on 
behalf of Ryan Sleevi via dev-security-policy 

Sent: 03 October 2020 22:16
To: Ben Wilson 
Cc: mozilla-dev-security-policy 
Subject: Re: Sectigo to Be Acquired by GI Partners


In a recent incident report [1], a representative of Sectigo noted:

The carve out from Comodo Group was a tough time for us. We had twenty
> years’ worth of completely intertwined systems that had to be disentangled
> ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of
> employees that numbered well under half of what we needed to operate in any
> reasonable fashion.


This referred to the previous split [2] of the Comodo CA business from the
rest of Comodo businesses, and rebranding as Sectigo.

In addition to the questions posted by Wayne, I think it'd be useful to
confirm:

1. Is it expected that there will be similar system and/or infrastructure
migrations as part of this? Sectigo's foresight of "no effect on its
operations" leaves it a bit ambiguous whether this is meant as "practical"
effect (e.g. requiring a change of CP/CS or effective policies) or whether
this is meant as no "operational" impact (e.g. things will change, but
there's no disruption anticipated). It'd be useful to frame this response
in terms of any anticipated changes at all (from mundane, like updating the
logos on the website, to significant, such as any procedure/equipment
changes), rather than observed effects.

2. Is there a risk that such an acquisition might further reduce the crew
of employees to an even smaller number? Perhaps not immediately, but over
time, say the next two years, such as "eliminating redundancies" or
"streamlining operations"? I recognize that there's an opportunity such an
acquisition might allow for greater investment and/or scale, and so don't
want to presume the negative, but it would be good to get a clear
commitment as to that, similar to other acquisitions in the past (e.g.
Symantec CA operations by DigiCert)

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21
[2]
https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ

On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

>  As announced previously by Rob Stradling, there is an agreement for
> private investment firm GI Partners, out of San Francisco, CA, to acquire
> Sectigo. Press release:
> https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners
> .
>
>
> I am treating this as a change of legal ownership covered by section 8.1
> <
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership
> >
> of the Mozilla Root Store Policy, which states:
>
> > If the receiving or acquiring company is new to the Mozilla root program,
> > it must demonstrate compliance with the entirety of this policy and there
> > MUST be a public discussion regarding their admittance to the root
> program,
> > which Mozilla must resolve with a positive conclusion in order for the
> > affected certificate(s) to remain in the root program.
>
> In order to comply with policy, I hereby formally announce the commencement
> of a 3-week discussion period for this change in legal ownership of Sectigo
> by requesting thoughtful and constructive feedback from the community.
>
> Sectigo has already stated that it foresees no effect on its operations due
> to this ownership change, and I believe that the acquisition announced by
> Sectigo and GI Partners is compliant with Mozilla policy.
>
> Thanks,
>
> Ben
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-05 Thread Rob Stradling via dev-security-policy
Hi Wayne.  We are not currently planning any changes to our CP/CPS as a result 
of this change of control.


From: dev-security-policy  on 
behalf of Wayne Thayer via dev-security-policy 

Sent: 02 October 2020 01:32
To: mozilla-dev-security-policy 
Subject: Re: Sectigo to Be Acquired by GI Partners

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


Rob: what, if any, changes will be made to the Sectigo CP/CPS as a result
of this change of control?

Thanks,

Wayne

On Thu, Oct 1, 2020 at 1:55 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

>  As announced previously by Rob Stradling, there is an agreement for
> private investment firm GI Partners, out of San Francisco, CA, to acquire
> Sectigo. Press release:
> https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners
> .
>
>
> I am treating this as a change of legal ownership covered by section 8.1
> <
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership
> >
> of the Mozilla Root Store Policy, which states:
>
> > If the receiving or acquiring company is new to the Mozilla root program,
> > it must demonstrate compliance with the entirety of this policy and there
> > MUST be a public discussion regarding their admittance to the root
> program,
> > which Mozilla must resolve with a positive conclusion in order for the
> > affected certificate(s) to remain in the root program.
>
> In order to comply with policy, I hereby formally announce the commencement
> of a 3-week discussion period for this change in legal ownership of Sectigo
> by requesting thoughtful and constructive feedback from the community.
>
> Sectigo has already stated that it foresees no effect on its operations due
> to this ownership change, and I believe that the acquisition announced by
> Sectigo and GI Partners is compliant with Mozilla policy.
>
> Thanks,
>
> Ben
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-03 Thread Ryan Sleevi via dev-security-policy
In a recent incident report [1], a representative of Sectigo noted:

The carve out from Comodo Group was a tough time for us. We had twenty
> years’ worth of completely intertwined systems that had to be disentangled
> ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of
> employees that numbered well under half of what we needed to operate in any
> reasonable fashion.


This referred to the previous split [2] of the Comodo CA business from the
rest of Comodo businesses, and rebranding as Sectigo.

In addition to the questions posted by Wayne, I think it'd be useful to
confirm:

1. Is it expected that there will be similar system and/or infrastructure
migrations as part of this? Sectigo's foresight of "no effect on its
operations" leaves it a bit ambiguous whether this is meant as "practical"
effect (e.g. requiring a change of CP/CS or effective policies) or whether
this is meant as no "operational" impact (e.g. things will change, but
there's no disruption anticipated). It'd be useful to frame this response
in terms of any anticipated changes at all (from mundane, like updating the
logos on the website, to significant, such as any procedure/equipment
changes), rather than observed effects.

2. Is there a risk that such an acquisition might further reduce the crew
of employees to an even smaller number? Perhaps not immediately, but over
time, say the next two years, such as "eliminating redundancies" or
"streamlining operations"? I recognize that there's an opportunity such an
acquisition might allow for greater investment and/or scale, and so don't
want to presume the negative, but it would be good to get a clear
commitment as to that, similar to other acquisitions in the past (e.g.
Symantec CA operations by DigiCert)

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21
[2]
https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ

On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

>  As announced previously by Rob Stradling, there is an agreement for
> private investment firm GI Partners, out of San Francisco, CA, to acquire
> Sectigo. Press release:
> https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners
> .
>
>
> I am treating this as a change of legal ownership covered by section 8.1
> <
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership
> >
> of the Mozilla Root Store Policy, which states:
>
> > If the receiving or acquiring company is new to the Mozilla root program,
> > it must demonstrate compliance with the entirety of this policy and there
> > MUST be a public discussion regarding their admittance to the root
> program,
> > which Mozilla must resolve with a positive conclusion in order for the
> > affected certificate(s) to remain in the root program.
>
> In order to comply with policy, I hereby formally announce the commencement
> of a 3-week discussion period for this change in legal ownership of Sectigo
> by requesting thoughtful and constructive feedback from the community.
>
> Sectigo has already stated that it foresees no effect on its operations due
> to this ownership change, and I believe that the acquisition announced by
> Sectigo and GI Partners is compliant with Mozilla policy.
>
> Thanks,
>
> Ben
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Sectigo to Be Acquired by GI Partners

2020-10-01 Thread Wayne Thayer via dev-security-policy
Rob: what, if any, changes will be made to the Sectigo CP/CPS as a result
of this change of control?

Thanks,

Wayne

On Thu, Oct 1, 2020 at 1:55 PM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

>  As announced previously by Rob Stradling, there is an agreement for
> private investment firm GI Partners, out of San Francisco, CA, to acquire
> Sectigo. Press release:
> https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners
> .
>
>
> I am treating this as a change of legal ownership covered by section 8.1
> <
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership
> >
> of the Mozilla Root Store Policy, which states:
>
> > If the receiving or acquiring company is new to the Mozilla root program,
> > it must demonstrate compliance with the entirety of this policy and there
> > MUST be a public discussion regarding their admittance to the root
> program,
> > which Mozilla must resolve with a positive conclusion in order for the
> > affected certificate(s) to remain in the root program.
>
> In order to comply with policy, I hereby formally announce the commencement
> of a 3-week discussion period for this change in legal ownership of Sectigo
> by requesting thoughtful and constructive feedback from the community.
>
> Sectigo has already stated that it foresees no effect on its operations due
> to this ownership change, and I believe that the acquisition announced by
> Sectigo and GI Partners is compliant with Mozilla policy.
>
> Thanks,
>
> Ben
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy