Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: InfoCert Acquisition of Camerfirma
400 views
Skip to first unread message
Wayne Thayer
Jul 18, 2018, 4:56:51 PM7/18/18
to mozilla-dev-security-policy
I would like to begin a 3-week public discussion period for InfoCert's
acquisition of Camerfirma [1] as described in section 8.1 of the Mozilla
Root Store Policy. I believe that the intent of our policy in this scenario
is to identify and consider any risks introduced by the acquisition of
Camerfirma, and not to reevaluate Camerfirma's inclusion as if it were a
new CA. In that context, I will appreciate everyone's constructive input on
issues that may affect Mozilla's ongoing trust in InfoCert/Camerfirma. I
have included some additional information below.
- Wayne
Camerfirma answered the questions that I posed [2] about this acquisition
as follows:
* Can you confirm that the entire CA operation has been acquired? This
means that all of the roots, systems, policies, people, and
infrastructure are not changing.
-> Yes
* Have any CP/CPS changes occurred, or do you expect any change to
occur as the result of this transaction?
-> No
* Are you undergoing any additional audits, or do you expect any
changes in the status of your audits or compliance certificates as the
result of this transaction?
-> No
* Please describe the management changes that will result from this transaction
-> No changes are expected in the management
* Please describe any changes to personnel that will result from this
transaction
-> No changes are expected to personnel
* Please describe any changes to policies that will result from this transaction
-> No changes are expected to policies
* Please describe any changes to systems that will happen as a result
of this transaction
-> No changes are expected to systems
* Please describe any other changes that will result from this transaction
-> No changes are expected
* Why was Mozilla not notified of this transaction 2 weeks ago when it
was announced?
-> The operation is already public but it's necessary to wait until it
has been done in the Spanish government's public registry. This point
determines the effectiveness of the operation with third parties.
Camerfirma has four SHA-1 roots included in the Mozilla program:
* Chambers of Commerce Root
* Chambers of Commerce Root - 2008
* Global Chambersign Root
* Global Chambersign Root - 2008
A request to include Camerfirma's SHA-2 roots was denied in April [3][4].
They have since informed me that they are in the process of generating new
roots.
Camerfirma has one open compliance bug [5] requesting full audit
information for a subordinate CA.
Camerfirma's 2018 audit statements are overdue - the prior period ended on
14-April 2017, and new statements have not yet been supplied to Mozilla.
Last year's statements are still listed on the Camerfirma website [6].
The latest version of the CPS [7], published in May, does not document any
changes that I find concerning.
[1]
https://infocert.digital/infocert-underwrites-a-capital-increase-to-acquire-51-of-the-spanish-ac-camerfirma/
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=986854
[4]
https://groups.google.com/d/msg/mozilla.dev.security.policy/skev4gp_bY4/snIuP2JLAgAJ
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1455147
[6] https://www.camerfirma.com/camerfirma/acreditaciones/
[7]
http://docs.camerfirma.com/publico/DocumentosWeb/politicas/CPS_3.3.1_EN.pdf
On Tue, May 22, 2018 at 3:50 PM Wayne Thayer <wth...@mozilla.com> wrote:
> On Thursday, a representative of AC Camerfirma sent an email informing
> Mozilla that InfoCert [1] has taken control of Camerfirma. News of the deal
> was first published on May 4th. [2]
>
> Section 8.1 of our policy applies here (quoting version 2.6 draft):
>
> If the receiving or acquiring company is new to the Mozilla root program,
>> it must demonstrate compliance with the entirety of this policy and there
>> MUST be a public discussion regarding their admittance to the root program,
>> which Mozilla must resolve with a positive conclusion in order for the
>> affected certificate(s) to remain in the root program. If the entire CA
>> operation is not included in the scope of the transaction, issuance is not
>> permitted until the discussion has been resolved with a positive conclusion.
>>
>
> InfoCert is new to the Mozilla root program, so a public discussion
> regarding their admittance to the root program is in order. I have
> requested clarification, but my current understanding is that AC
> Camerfirma's entire CA operation is part of the transaction. Thus,
> according to our new policy, certificate issuance may continue during our
> discussion period.
>
> Camerfirma has informed me that they will not be able to answer our
> questions until the transaction "has been done in the Spanish
> government's public registry", which they expect to take approximately 4
> weeks. Meanwhile, I have created a bug [3] to track this request and have
> posed a number of questions to InfoCert.
>
> - Wayne
> [1] https://infocert.digital/about-us/
> [2]
> https://www.corrierecomunicazioni.it/digital-economy/infocert-sbarca-allestero-acquisito-il-51-della-spagnola-camerfirma/
> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597
>
acquisition of Camerfirma [1] as described in section 8.1 of the Mozilla
Root Store Policy. I believe that the intent of our policy in this scenario
is to identify and consider any risks introduced by the acquisition of
Camerfirma, and not to reevaluate Camerfirma's inclusion as if it were a
new CA. In that context, I will appreciate everyone's constructive input on
issues that may affect Mozilla's ongoing trust in InfoCert/Camerfirma. I
have included some additional information below.
- Wayne
Camerfirma answered the questions that I posed [2] about this acquisition
as follows:
* Can you confirm that the entire CA operation has been acquired? This
means that all of the roots, systems, policies, people, and
infrastructure are not changing.
-> Yes
* Have any CP/CPS changes occurred, or do you expect any change to
occur as the result of this transaction?
-> No
* Are you undergoing any additional audits, or do you expect any
changes in the status of your audits or compliance certificates as the
result of this transaction?
-> No
* Please describe the management changes that will result from this transaction
-> No changes are expected in the management
* Please describe any changes to personnel that will result from this
transaction
-> No changes are expected to personnel
* Please describe any changes to policies that will result from this transaction
-> No changes are expected to policies
* Please describe any changes to systems that will happen as a result
of this transaction
-> No changes are expected to systems
* Please describe any other changes that will result from this transaction
-> No changes are expected
* Why was Mozilla not notified of this transaction 2 weeks ago when it
was announced?
-> The operation is already public but it's necessary to wait until it
has been done in the Spanish government's public registry. This point
determines the effectiveness of the operation with third parties.
Camerfirma has four SHA-1 roots included in the Mozilla program:
* Chambers of Commerce Root
* Chambers of Commerce Root - 2008
* Global Chambersign Root
* Global Chambersign Root - 2008
A request to include Camerfirma's SHA-2 roots was denied in April [3][4].
They have since informed me that they are in the process of generating new
roots.
Camerfirma has one open compliance bug [5] requesting full audit
information for a subordinate CA.
Camerfirma's 2018 audit statements are overdue - the prior period ended on
14-April 2017, and new statements have not yet been supplied to Mozilla.
Last year's statements are still listed on the Camerfirma website [6].
The latest version of the CPS [7], published in May, does not document any
changes that I find concerning.
[1]
https://infocert.digital/infocert-underwrites-a-capital-increase-to-acquire-51-of-the-spanish-ac-camerfirma/
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=986854
[4]
https://groups.google.com/d/msg/mozilla.dev.security.policy/skev4gp_bY4/snIuP2JLAgAJ
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1455147
[6] https://www.camerfirma.com/camerfirma/acreditaciones/
[7]
http://docs.camerfirma.com/publico/DocumentosWeb/politicas/CPS_3.3.1_EN.pdf
On Tue, May 22, 2018 at 3:50 PM Wayne Thayer <wth...@mozilla.com> wrote:
> On Thursday, a representative of AC Camerfirma sent an email informing
> Mozilla that InfoCert [1] has taken control of Camerfirma. News of the deal
> was first published on May 4th. [2]
>
> Section 8.1 of our policy applies here (quoting version 2.6 draft):
>
> If the receiving or acquiring company is new to the Mozilla root program,
>> it must demonstrate compliance with the entirety of this policy and there
>> MUST be a public discussion regarding their admittance to the root program,
>> which Mozilla must resolve with a positive conclusion in order for the
>> affected certificate(s) to remain in the root program. If the entire CA
>> operation is not included in the scope of the transaction, issuance is not
>> permitted until the discussion has been resolved with a positive conclusion.
>>
>
> InfoCert is new to the Mozilla root program, so a public discussion
> regarding their admittance to the root program is in order. I have
> requested clarification, but my current understanding is that AC
> Camerfirma's entire CA operation is part of the transaction. Thus,
> according to our new policy, certificate issuance may continue during our
> discussion period.
>
> Camerfirma has informed me that they will not be able to answer our
> questions until the transaction "has been done in the Spanish
> government's public registry", which they expect to take approximately 4
> weeks. Meanwhile, I have created a bug [3] to track this request and have
> posed a number of questions to InfoCert.
>
> - Wayne
> [1] https://infocert.digital/about-us/
> [2]
> https://www.corrierecomunicazioni.it/digital-economy/infocert-sbarca-allestero-acquisito-il-51-della-spagnola-camerfirma/
> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597
>
Wayne Thayer
Jul 30, 2018, 8:48:11 PM7/30/18
to mozilla-dev-security-policy
On Wed, Jul 18, 2018 at 1:56 PM Wayne Thayer <wth...@mozilla.com> wrote:
> I would like to begin a 3-week public discussion period for InfoCert's
> acquisition of Camerfirma [1] as described in section 8.1 of the Mozilla
> Root Store Policy. I believe that the intent of our policy in this scenario
> is to identify and consider any risks introduced by the acquisition of
> Camerfirma, and not to reevaluate Camerfirma's inclusion as if it were a
> new CA. In that context, I will appreciate everyone's constructive input on
> issues that may affect Mozilla's ongoing trust in InfoCert/Camerfirma. I
> have included some additional information below.
>
> - Wayne
>
> Camerfirma answered the questions that I posed [2] about this acquisition
> as follows:
>
> <snip>
> I would like to begin a 3-week public discussion period for InfoCert's
> acquisition of Camerfirma [1] as described in section 8.1 of the Mozilla
> Root Store Policy. I believe that the intent of our policy in this scenario
> is to identify and consider any risks introduced by the acquisition of
> Camerfirma, and not to reevaluate Camerfirma's inclusion as if it were a
> new CA. In that context, I will appreciate everyone's constructive input on
> issues that may affect Mozilla's ongoing trust in InfoCert/Camerfirma. I
> have included some additional information below.
>
> - Wayne
>
> Camerfirma answered the questions that I posed [2] about this acquisition
> as follows:
>
>
> Camerfirma has one open compliance bug [5] requesting full audit
> information for a subordinate CA.
>
Camerfirma also recently issued two intermediates that were not disclosed
within the required week [8][9].
Camerfirma's 2018 audit statements are overdue - the prior period ended on
> 14-April 2017, and new statements have not yet been supplied to Mozilla.
> Last year's statements are still listed on the Camerfirma website [6].
>
https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
The WebTrust, BR, and EV reports all contain multiple qualifications. I
would summarize the qualifications as follows:
* Inconsistencies and omissions in CP/CPS documents which I would consider
relatively minor.
* Misissuances. The reports appear to be referring to those documented in
bugs 1357067, 1390977, 1405815, 1431164, and 1443857.
* Misissuance for "wildcard to immediate left of public suffix in SAN" was
also reported. I found [10] but since those are for the .sener brand TLD,
it is possible that Camerfirma issued them in compliance with BR 3.2.2.6.
* Not meeting the BR requirement to revoke within 24 hours, presumably
referencing bug 1390977.
*The revocation time differs between the OCSP service and CRL for a few
certificates, and the OCSP service responds "good" for some certificates
revoked according to the CRL.
* Failure to begin investigations of problem reports within 24 hours.
* Failure to self-audit at least 3% of issued certificates each quarter.
<snip>
[1]
> https://infocert.digital/infocert-underwrites-a-capital-increase-to-acquire-51-of-the-spanish-ac-camerfirma/
>
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597
>
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=986854
>
[4]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/skev4gp_bY4/snIuP2JLAgAJ
>
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1455147
>
[6] https://www.camerfirma.com/camerfirma/acreditaciones/
>
[7]
> http://docs.camerfirma.com/publico/DocumentosWeb/politicas/CPS_3.3.1_EN.pdf
>
> https://crt.sh/?sha256=06a57d1cd5879fba2135610dd8d725cc268d2a6de8a463d424c4b9da89848696&opt=mozilladisclosure
[9]
> https://crt.sh/?sha256=1defd59846cc2049ba1f1a74d3a8329d1357a2d47c1e1b0c15c27a8c60295455&opt=mozilladisclosure
>
[10] https://crt.sh/?cablint=319&iCAID=1778&minNotBefore=2017-01-01
Wayne Thayer
Sep 26, 2018, 6:21:58 PM9/26/18
to mozilla-dev-security-policy
I've held this discussion open for much longer than 3 weeks due to the
qualified audit reports that were received from Camerfirma. Since no
objections to the acquisition have been raised and the audit issues are
being discussed separately [1][2], I would like to close this discussion
and the corresponding bug [3] with a "positive conclusion" as required by
policy section 8.1 If you have concerns with this action, please respond by
the end of this week.
- Wayne
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/Xmr13-ZK0_c/kiyqqk7hCQAJ
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597
qualified audit reports that were received from Camerfirma. Since no
objections to the acquisition have been raised and the audit issues are
being discussed separately [1][2], I would like to close this discussion
and the corresponding bug [3] with a "positive conclusion" as required by
policy section 8.1 If you have concerns with this action, please respond by
the end of this week.
- Wayne
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/Xmr13-ZK0_c/kiyqqk7hCQAJ
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597
David E. Ross
Sep 26, 2018, 7:41:31 PM9/26/18
to mozilla-dev-s...@lists.mozilla.org
On 9/26/2018 3:21 PM, Wayne Thayer wrote:
> I've held this discussion open for much longer than 3 weeks due to the
> qualified audit reports that were received from Camerfirma. Since no
> objections to the acquisition have been raised and the audit issues are
> being discussed separately [1][2], I would like to close this discussion
> and the corresponding bug [3] with a "positive conclusion" as required by
> policy section 8.1 If you have concerns with this action, please respond by
> the end of this week.
Should not a "positive conclusion" be withheld until the issues leading
> I've held this discussion open for much longer than 3 weeks due to the
> qualified audit reports that were received from Camerfirma. Since no
> objections to the acquisition have been raised and the audit issues are
> being discussed separately [1][2], I would like to close this discussion
> and the corresponding bug [3] with a "positive conclusion" as required by
> policy section 8.1 If you have concerns with this action, please respond by
> the end of this week.
to qualified reports are resolved?
--
David E. Ross
<http://www.rossde.com>
Too often, Twitter is a source of verbal vomit. Examples include Donald
Trump, Roseanne Barr, and Elon Musk.
Wayne Thayer
Feb 7, 2019, 6:15:25 PM2/7/19
to mozilla-dev-security-policy
I just noticed that my response to David's question was only sent to his
(nob...@nowhere.invalid) reply address and not to the list.
On Wed, Sep 26, 2018 at 4:41 PM David E. Ross via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> On 9/26/2018 3:21 PM, Wayne Thayer wrote:
continues to issue certificates. The lack of a "positive conclusion" would
really mean that we have to take action to distrust the roots, and that is
no different than what I could imagine happening if the audit
qualifications hadn't been successfully remediated [1].
I've gone ahead and closed the acquisition bug on this basis.
- Wayne
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597
(nob...@nowhere.invalid) reply address and not to the list.
On Wed, Sep 26, 2018 at 4:41 PM David E. Ross via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> On 9/26/2018 3:21 PM, Wayne Thayer wrote:
> > I've held this discussion open for much longer than 3 weeks due to the
> > qualified audit reports that were received from Camerfirma. Since no
> > objections to the acquisition have been raised and the audit issues are
> > being discussed separately [1][2], I would like to close this discussion
> > and the corresponding bug [3] with a "positive conclusion" as required by
> > policy section 8.1 If you have concerns with this action, please respond
> by
> > the end of this week.
>
> > qualified audit reports that were received from Camerfirma. Since no
> > objections to the acquisition have been raised and the audit issues are
> > being discussed separately [1][2], I would like to close this discussion
> > and the corresponding bug [3] with a "positive conclusion" as required by
> > policy section 8.1 If you have concerns with this action, please respond
> by
> > the end of this week.
>
> Should not a "positive conclusion" be withheld until the issues leading
> to qualified reports are resolved?
>
> This isn't an inclusion request - the roots are already trusted and the CA
> to qualified reports are resolved?
>
continues to issue certificates. The lack of a "positive conclusion" would
really mean that we have to take action to distrust the roots, and that is
no different than what I could imagine happening if the audit
qualifications hadn't been successfully remediated [1].
I've gone ahead and closed the acquisition bug on this basis.
- Wayne
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597
0 new messages