On Thu, Nov 9, 2017 at 1:25 PM, Peter Kurrasch via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> There's always a risk that a CA owner will create a security nightmare
> when we aren't looking, probationary period or not. In theory regular
> audits help to prevent it, but even in cases where they don't, people are
> free to raise concerns as they come up. I think we've had examples of
> exactly that in both StartCom and Symantec.
>
I agree. What we're really talking about here is the removal of trust in a
CA based on new information. In the case of an acquisition, that
information may not be publicly available until after a deal is completed,
making the current requirement to halt issuance very disruptive. I'd modify
section 8.1 of the policy to distinguish an acquisition of the CA
operations from a purchase of a root key, and only require approval prior
to issuance in the latter case.
>
>
Perhaps one way to think of it is: Do we have reason to believe that the
> acquiring organization, leadership, etc. will probably make good decisions
> in the furtherance of public trust on the Internet? For a company that is a
> complete unknown, I would say that no evidence exists and therefore a
> public review prior to the acquisition is appropriate. If we do have
> sufficient evidence, perhaps it's OK to let the acquisition go through and
> have a public discussion afterwards.
>
The CA should be responsible for providing information about the effect of
the acquisition on their operations. In this case, Robin provided some
essentials:
>As you have seen from the announcement, we have a new CEO and new Chairman
>who have prior experience in managing a trusted CA organization.
>
>There are to be no resultant changes to our CPS, our operations, our
>business policies or procedures, or the secure locations from which we
>operate our CA infrastructure.
>
>The operational personnel in Comodo CA Limited will not change. The
>certificate validation teams will remain unchanged.
The policy already requires the CA to disclose any CPS changes. I'd add a
requirement that the CA provide a public statement describing all material
changes that will be made as a result of the acquisition. That statement
should be signed by Senior management of the acquiring company. The CA
should also [obviously] be expected to answer any reasonable questions that
are raised during the discussion period.