Re: Sectigo to Be Acquired by GI Partners
Jakob wrote: > The part needing clarification started with: > > > In addition to the questions posted by Wayne, I think it'd be useful > > to confirm: > > ... I did not address that part of Ryan's post, but Tim's delayed message did address it. See https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13782.html and https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13795.html The only purpose of my post was to say that Tim had posted a message that (we believed) had got stuck in a moderation queue. I felt that I needed to post my message because Mozilla expects CAs to answer questions in a timely fashion (see https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed). When a reply from a CA representative doesn't appear on the list, it might look like the CA is not answering questions in a timely fashion. It would not be fair for any CA to be penalized just because there's a moderation queue for some messages and/or participants. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
On 2020-10-16 12:33, Rob Stradling wrote: ...clarification of what meaning was intended. Merely this... "Hi Ryan. Tim Callan posted a reply to your questions last week, but his message has not yet appeared on the list. Is it stuck in a moderation queue?" The part needing clarification started with: > In addition to the questions posted by Wayne, I think it'd be useful > to confirm: > ... Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
> ...clarification of what meaning was intended. Merely this... "Hi Ryan. Tim Callan posted a reply to your questions last week, but his message has not yet appeared on the list. Is it stuck in a moderation queue?" ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
On 2020-10-15 16:46, Rob Stradling wrote: Hi Jacob. I don't believe that this list mandates any particular posting style [https://en.wikipedia.org/wiki/Posting_style]. Although interleaved/inline posting is my preferred style, I'm stuck using Outlook365 as my mail client these days. (Sadly, Thunderbird's usability worsened dramatically for me after Sectigo moved corporate email to Office365 a few years ago). So this is the situation I find myself in... "This widespread policy in business communication made bottom and inline posting so unknown among most users that some of the most popular email programs no longer support the traditional posting style. For example, Microsoft Outlook, AOL, and Yahoo! make it difficult or impossible to indicate which part of a message is the quoted original or do not let users insert comments between parts of the original." [https://en.wikipedia.org/wiki/Posting_style#Quoting_support_in_popular_mail_clients] I realized that the problem was caused by broken client software, and was pointing out than in this case, it had led to a specific lack of clarity and was asking for clarification of what meaning was intended. From: dev-security-policy on behalf of Jakob Bohm via dev-security-policy Sent: 12 October 2020 22:41 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Sectigo to Be Acquired by GI Partners Hi Rob, The e-mail you quote below seems to be inadvertently "confirming" some suspicions that someone else posed as questions. I think the group as a whole would love to have actual specific answers to those original questions. Remember to always add an extra layer of ">" indents for each level of message quoting, so as to not misattribute text. On 2020-10-12 10:43, Rob Stradling wrote: Hi Ryan. Tim Callan posted a reply to your questions last week, but his message has not yet appeared on the list. Is it stuck in a moderation queue? From: dev-security-policy on behalf of Ryan Sleevi via dev-security-policy Sent: 03 October 2020 22:16 To: Ben Wilson Cc: mozilla-dev-security-policy Subject: Re: Sectigo to Be Acquired by GI Partners In a recent incident report [1], a representative of Sectigo noted: The carve out from Comodo Group was a tough time for us. We had twenty years’ worth of completely intertwined systems that had to be disentangled ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of employees that numbered well under half of what we needed to operate in any reasonable fashion. This referred to the previous split [2] of the Comodo CA business from the rest of Comodo businesses, and rebranding as Sectigo. In addition to the questions posted by Wayne, I think it'd be useful to confirm: 1. Is it expected that there will be similar system and/or infrastructure migrations as part of this? Sectigo's foresight of "no effect on its operations" leaves it a bit ambiguous whether this is meant as "practical" effect (e.g. requiring a change of CP/CS or effective policies) or whether this is meant as no "operational" impact (e.g. things will change, but there's no disruption anticipated). It'd be useful to frame this response in terms of any anticipated changes at all (from mundane, like updating the logos on the website, to significant, such as any procedure/equipment changes), rather than observed effects. 2. Is there a risk that such an acquisition might further reduce the crew of employees to an even smaller number? Perhaps not immediately, but over time, say the next two years, such as "eliminating redundancies" or "streamlining operations"? I recognize that there's an opportunity such an acquisition might allow for greater investment and/or scale, and so don't want to presume the negative, but it would be good to get a clear commitment as to that, similar to other acquisitions in the past (e.g. Symantec CA operations by DigiCert) [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21 [2] https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: As announced previously by Rob Stradling, there is an agreement for private investment firm GI Partners, out of San Francisco, CA, to acquire Sectigo. Press release: https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners . I am treating this as a change of legal ownership covered by section 8.1 < https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership of the Mozilla Root Store Policy, which states: If the receiving or acquiring company is new to the Mozilla root program, it must demonstrate compliance with the entirety
Re: Sectigo to Be Acquired by GI Partners
Hi Jacob. I don't believe that this list mandates any particular posting style [https://en.wikipedia.org/wiki/Posting_style]. Although interleaved/inline posting is my preferred style, I'm stuck using Outlook365 as my mail client these days. (Sadly, Thunderbird's usability worsened dramatically for me after Sectigo moved corporate email to Office365 a few years ago). So this is the situation I find myself in... "This widespread policy in business communication made bottom and inline posting so unknown among most users that some of the most popular email programs no longer support the traditional posting style. For example, Microsoft Outlook, AOL, and Yahoo! make it difficult or impossible to indicate which part of a message is the quoted original or do not let users insert comments between parts of the original." [https://en.wikipedia.org/wiki/Posting_style#Quoting_support_in_popular_mail_clients] From: dev-security-policy on behalf of Jakob Bohm via dev-security-policy Sent: 12 October 2020 22:41 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Sectigo to Be Acquired by GI Partners Hi Rob, The e-mail you quote below seems to be inadvertently "confirming" some suspicions that someone else posed as questions. I think the group as a whole would love to have actual specific answers to those original questions. Remember to always add an extra layer of ">" indents for each level of message quoting, so as to not misattribute text. On 2020-10-12 10:43, Rob Stradling wrote: > Hi Ryan. Tim Callan posted a reply to your questions last week, but his > message has not yet appeared on the list. Is it stuck in a moderation queue? > > > From: dev-security-policy on > behalf of Ryan Sleevi via dev-security-policy > > Sent: 03 October 2020 22:16 > To: Ben Wilson > Cc: mozilla-dev-security-policy > > Subject: Re: Sectigo to Be Acquired by GI Partners > > > In a recent incident report [1], a representative of Sectigo noted: > > The carve out from Comodo Group was a tough time for us. We had twenty >> years’ worth of completely intertwined systems that had to be disentangled >> ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of >> employees that numbered well under half of what we needed to operate in any >> reasonable fashion. > > > This referred to the previous split [2] of the Comodo CA business from the > rest of Comodo businesses, and rebranding as Sectigo. > > In addition to the questions posted by Wayne, I think it'd be useful to > confirm: > > 1. Is it expected that there will be similar system and/or infrastructure > migrations as part of this? Sectigo's foresight of "no effect on its > operations" leaves it a bit ambiguous whether this is meant as "practical" > effect (e.g. requiring a change of CP/CS or effective policies) or whether > this is meant as no "operational" impact (e.g. things will change, but > there's no disruption anticipated). It'd be useful to frame this response > in terms of any anticipated changes at all (from mundane, like updating the > logos on the website, to significant, such as any procedure/equipment > changes), rather than observed effects. > > 2. Is there a risk that such an acquisition might further reduce the crew > of employees to an even smaller number? Perhaps not immediately, but over > time, say the next two years, such as "eliminating redundancies" or > "streamlining operations"? I recognize that there's an opportunity such an > acquisition might allow for greater investment and/or scale, and so don't > want to presume the negative, but it would be good to get a clear > commitment as to that, similar to other acquisitions in the past (e.g. > Symantec CA operations by DigiCert) > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21 > [2] > https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ > > On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> As announced previously by Rob Stradling, there is an agreement for >> private investment firm GI Partners, out of San Francisco, CA, to acquire >> Sectigo. Press release: >> https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners >> . >> >> >> I am treating this as a change of legal ownership covered by section 8.1 >> < >> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership >>> >> of the Mozilla Root Store Policy, which sta
Re: Sectigo to Be Acquired by GI Partners
On Monday, October 12, 2020 at 6:28:06 PM UTC-4, Matt Palmer wrote: Matt, We can accurately remove the word meaningful from the earlier statement: We anticipate no changes required to policies, operations, or personnel. If any changes do occur in the future, we will of course update our CPS and inform the community. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
On Fri, Oct 09, 2020 at 06:33:22AM -0700, Tim Callan via dev-security-policy wrote: > We anticipate no meaningful changes required to policies, operations, or > personnel. [...] > In this case the required changes are virtually nothing. These statements concern me somewhat, as reasonable people may have differing thresholds for "meaningful" and "virtually". Whilst publicly enumerating every possible change is impossible, I would urge Sectigo to err on the side of caution when it comes to evaulating whether a change is "meaningful". Given Sectigo's long and storied history of failures to meaningfully engage with the Mozilla community on Sectigo's misadventures, I doubt there is much appetite for a future in which "oh, we didn't think *that* was a meaningful change" figures heavily in incident reports. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
Hi Rob, The e-mail you quote below seems to be inadvertently "confirming" some suspicions that someone else posed as questions. I think the group as a whole would love to have actual specific answers to those original questions. Remember to always add an extra layer of ">" indents for each level of message quoting, so as to not misattribute text. On 2020-10-12 10:43, Rob Stradling wrote: Hi Ryan. Tim Callan posted a reply to your questions last week, but his message has not yet appeared on the list. Is it stuck in a moderation queue? From: dev-security-policy on behalf of Ryan Sleevi via dev-security-policy Sent: 03 October 2020 22:16 To: Ben Wilson Cc: mozilla-dev-security-policy Subject: Re: Sectigo to Be Acquired by GI Partners In a recent incident report [1], a representative of Sectigo noted: The carve out from Comodo Group was a tough time for us. We had twenty years’ worth of completely intertwined systems that had to be disentangled ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of employees that numbered well under half of what we needed to operate in any reasonable fashion. This referred to the previous split [2] of the Comodo CA business from the rest of Comodo businesses, and rebranding as Sectigo. In addition to the questions posted by Wayne, I think it'd be useful to confirm: 1. Is it expected that there will be similar system and/or infrastructure migrations as part of this? Sectigo's foresight of "no effect on its operations" leaves it a bit ambiguous whether this is meant as "practical" effect (e.g. requiring a change of CP/CS or effective policies) or whether this is meant as no "operational" impact (e.g. things will change, but there's no disruption anticipated). It'd be useful to frame this response in terms of any anticipated changes at all (from mundane, like updating the logos on the website, to significant, such as any procedure/equipment changes), rather than observed effects. 2. Is there a risk that such an acquisition might further reduce the crew of employees to an even smaller number? Perhaps not immediately, but over time, say the next two years, such as "eliminating redundancies" or "streamlining operations"? I recognize that there's an opportunity such an acquisition might allow for greater investment and/or scale, and so don't want to presume the negative, but it would be good to get a clear commitment as to that, similar to other acquisitions in the past (e.g. Symantec CA operations by DigiCert) [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21 [2] https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: As announced previously by Rob Stradling, there is an agreement for private investment firm GI Partners, out of San Francisco, CA, to acquire Sectigo. Press release: https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners . I am treating this as a change of legal ownership covered by section 8.1 < https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership of the Mozilla Root Store Policy, which states: If the receiving or acquiring company is new to the Mozilla root program, it must demonstrate compliance with the entirety of this policy and there MUST be a public discussion regarding their admittance to the root program, which Mozilla must resolve with a positive conclusion in order for the affected certificate(s) to remain in the root program. In order to comply with policy, I hereby formally announce the commencement of a 3-week discussion period for this change in legal ownership of Sectigo by requesting thoughtful and constructive feedback from the community. Sectigo has already stated that it foresees no effect on its operations due to this ownership change, and I believe that the acquisition announced by Sectigo and GI Partners is compliant with Mozilla policy. Thanks, Ben ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
On Saturday, October 3, 2020 at 5:16:41 PM UTC-4, Ryan Sleevi wrote: > 1. Is it expected that there will be similar system and/or infrastructure > migrations as part of this? Sectigo's foresight of "no effect on its > operations" leaves it a bit ambiguous whether this is meant as "practical" > effect (e.g. requiring a change of CP/CS or effective policies) or whether > this is meant as no "operational" impact (e.g. things will change, but > there's no disruption anticipated). It'd be useful to frame this response > in terms of any anticipated changes at all (from mundane, like updating the > logos on the website, to significant, such as any procedure/equipment > changes), rather than observed effects. Sorry if our earlier message wasn’t clear. We foresee no disruptions, challenges, or special needs owing to the change of control. We anticipate no meaningful changes required to policies, operations, or personnel. This change of control is fundamentally different from the Comodo CA carve-out in that there is exactly one going-forward concern. When we broke away from Comodo Group, we had to disentangle systems, data, processes, offices, web sites, employee responsibilities, vendor relationships, contracts, and more. In this case the required changes are virtually nothing. Our new ownership expects us to continue the arc the company is on now, including service offerings, brands, sites, etc. > 2. Is there a risk that such an acquisition might further reduce the crew > of employees to an even smaller number? Perhaps not immediately, but over > time, say the next two years, such as "eliminating redundancies" or > "streamlining operations"? I recognize that there's an opportunity such an > acquisition might allow for greater investment and/or scale, and so don't > want to presume the negative, but it would be good to get a clear > commitment as to that, similar to other acquisitions in the past (e.g. > Symantec CA operations by DigiCert) There is nothing to suggest that such cuts are coming. The reason the company that’s now called Sectigo started with what we described as a skeleton crew is that many employees who had been sometime contributors to the CA business wound up staying behind with Comodo Group. We more than doubled the size of the company in the first year as we recruited to fill those gaps. By way of example, of the ten executives listed on our Leadership page, only two of them were part of the business prior to the carve-out. Once again, this time is radically different. We have been growing in revenue and headcount, and there is no reason to expect any kind of contraction. The new ownership at GI Partners has expressed the desire to see our continued growth, and we expect them to make the appropriate investments to fuel that. We have not had and do not anticipate any layoffs, “streamlining,” etc. as part of this change of control. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
Hi Ryan. Tim Callan posted a reply to your questions last week, but his message has not yet appeared on the list. Is it stuck in a moderation queue? From: dev-security-policy on behalf of Ryan Sleevi via dev-security-policy Sent: 03 October 2020 22:16 To: Ben Wilson Cc: mozilla-dev-security-policy Subject: Re: Sectigo to Be Acquired by GI Partners In a recent incident report [1], a representative of Sectigo noted: The carve out from Comodo Group was a tough time for us. We had twenty > years’ worth of completely intertwined systems that had to be disentangled > ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of > employees that numbered well under half of what we needed to operate in any > reasonable fashion. This referred to the previous split [2] of the Comodo CA business from the rest of Comodo businesses, and rebranding as Sectigo. In addition to the questions posted by Wayne, I think it'd be useful to confirm: 1. Is it expected that there will be similar system and/or infrastructure migrations as part of this? Sectigo's foresight of "no effect on its operations" leaves it a bit ambiguous whether this is meant as "practical" effect (e.g. requiring a change of CP/CS or effective policies) or whether this is meant as no "operational" impact (e.g. things will change, but there's no disruption anticipated). It'd be useful to frame this response in terms of any anticipated changes at all (from mundane, like updating the logos on the website, to significant, such as any procedure/equipment changes), rather than observed effects. 2. Is there a risk that such an acquisition might further reduce the crew of employees to an even smaller number? Perhaps not immediately, but over time, say the next two years, such as "eliminating redundancies" or "streamlining operations"? I recognize that there's an opportunity such an acquisition might allow for greater investment and/or scale, and so don't want to presume the negative, but it would be good to get a clear commitment as to that, similar to other acquisitions in the past (e.g. Symantec CA operations by DigiCert) [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21 [2] https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As announced previously by Rob Stradling, there is an agreement for > private investment firm GI Partners, out of San Francisco, CA, to acquire > Sectigo. Press release: > https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners > . > > > I am treating this as a change of legal ownership covered by section 8.1 > < > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership > > > of the Mozilla Root Store Policy, which states: > > > If the receiving or acquiring company is new to the Mozilla root program, > > it must demonstrate compliance with the entirety of this policy and there > > MUST be a public discussion regarding their admittance to the root > program, > > which Mozilla must resolve with a positive conclusion in order for the > > affected certificate(s) to remain in the root program. > > In order to comply with policy, I hereby formally announce the commencement > of a 3-week discussion period for this change in legal ownership of Sectigo > by requesting thoughtful and constructive feedback from the community. > > Sectigo has already stated that it foresees no effect on its operations due > to this ownership change, and I believe that the acquisition announced by > Sectigo and GI Partners is compliant with Mozilla policy. > > Thanks, > > Ben > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
Hi Wayne. We are not currently planning any changes to our CP/CPS as a result of this change of control. From: dev-security-policy on behalf of Wayne Thayer via dev-security-policy Sent: 02 October 2020 01:32 To: mozilla-dev-security-policy Subject: Re: Sectigo to Be Acquired by GI Partners CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Rob: what, if any, changes will be made to the Sectigo CP/CPS as a result of this change of control? Thanks, Wayne On Thu, Oct 1, 2020 at 1:55 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As announced previously by Rob Stradling, there is an agreement for > private investment firm GI Partners, out of San Francisco, CA, to acquire > Sectigo. Press release: > https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners > . > > > I am treating this as a change of legal ownership covered by section 8.1 > < > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership > > > of the Mozilla Root Store Policy, which states: > > > If the receiving or acquiring company is new to the Mozilla root program, > > it must demonstrate compliance with the entirety of this policy and there > > MUST be a public discussion regarding their admittance to the root > program, > > which Mozilla must resolve with a positive conclusion in order for the > > affected certificate(s) to remain in the root program. > > In order to comply with policy, I hereby formally announce the commencement > of a 3-week discussion period for this change in legal ownership of Sectigo > by requesting thoughtful and constructive feedback from the community. > > Sectigo has already stated that it foresees no effect on its operations due > to this ownership change, and I believe that the acquisition announced by > Sectigo and GI Partners is compliant with Mozilla policy. > > Thanks, > > Ben > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
In a recent incident report [1], a representative of Sectigo noted: The carve out from Comodo Group was a tough time for us. We had twenty > years’ worth of completely intertwined systems that had to be disentangled > ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of > employees that numbered well under half of what we needed to operate in any > reasonable fashion. This referred to the previous split [2] of the Comodo CA business from the rest of Comodo businesses, and rebranding as Sectigo. In addition to the questions posted by Wayne, I think it'd be useful to confirm: 1. Is it expected that there will be similar system and/or infrastructure migrations as part of this? Sectigo's foresight of "no effect on its operations" leaves it a bit ambiguous whether this is meant as "practical" effect (e.g. requiring a change of CP/CS or effective policies) or whether this is meant as no "operational" impact (e.g. things will change, but there's no disruption anticipated). It'd be useful to frame this response in terms of any anticipated changes at all (from mundane, like updating the logos on the website, to significant, such as any procedure/equipment changes), rather than observed effects. 2. Is there a risk that such an acquisition might further reduce the crew of employees to an even smaller number? Perhaps not immediately, but over time, say the next two years, such as "eliminating redundancies" or "streamlining operations"? I recognize that there's an opportunity such an acquisition might allow for greater investment and/or scale, and so don't want to presume the negative, but it would be good to get a clear commitment as to that, similar to other acquisitions in the past (e.g. Symantec CA operations by DigiCert) [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21 [2] https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As announced previously by Rob Stradling, there is an agreement for > private investment firm GI Partners, out of San Francisco, CA, to acquire > Sectigo. Press release: > https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners > . > > > I am treating this as a change of legal ownership covered by section 8.1 > < > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership > > > of the Mozilla Root Store Policy, which states: > > > If the receiving or acquiring company is new to the Mozilla root program, > > it must demonstrate compliance with the entirety of this policy and there > > MUST be a public discussion regarding their admittance to the root > program, > > which Mozilla must resolve with a positive conclusion in order for the > > affected certificate(s) to remain in the root program. > > In order to comply with policy, I hereby formally announce the commencement > of a 3-week discussion period for this change in legal ownership of Sectigo > by requesting thoughtful and constructive feedback from the community. > > Sectigo has already stated that it foresees no effect on its operations due > to this ownership change, and I believe that the acquisition announced by > Sectigo and GI Partners is compliant with Mozilla policy. > > Thanks, > > Ben > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Sectigo to Be Acquired by GI Partners
Rob: what, if any, changes will be made to the Sectigo CP/CPS as a result of this change of control? Thanks, Wayne On Thu, Oct 1, 2020 at 1:55 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As announced previously by Rob Stradling, there is an agreement for > private investment firm GI Partners, out of San Francisco, CA, to acquire > Sectigo. Press release: > https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners > . > > > I am treating this as a change of legal ownership covered by section 8.1 > < > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership > > > of the Mozilla Root Store Policy, which states: > > > If the receiving or acquiring company is new to the Mozilla root program, > > it must demonstrate compliance with the entirety of this policy and there > > MUST be a public discussion regarding their admittance to the root > program, > > which Mozilla must resolve with a positive conclusion in order for the > > affected certificate(s) to remain in the root program. > > In order to comply with policy, I hereby formally announce the commencement > of a 3-week discussion period for this change in legal ownership of Sectigo > by requesting thoughtful and constructive feedback from the community. > > Sectigo has already stated that it foresees no effect on its operations due > to this ownership change, and I believe that the acquisition announced by > Sectigo and GI Partners is compliant with Mozilla policy. > > Thanks, > > Ben > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy