Francisco Partners acquires Comodo certificate authority business

[Kyle Hamilton]

http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business

[Kyle Hamilton]

Another article about this is
http://www.securityweek.com/francisco-partners-acquires-comodo-ca .

Notably, I'm not seeing anything in the official news announcements
pages for either Francisco Partners or Comodo.  Is this an attempt at
another StartCom (silent ownership transfer), or is it a case of "rumor
mill reported as fact"?

-Kyle H


On 2017-10-31 06:21, Kyle Hamilton wrote:
> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business
>
>
>

[Peter Kurrasch]

Both articles are long on names, short on dates. I don't fault the authors for that but it is troubling that better information wasn't made available to them.

When can we expect a proper announcement in this forum? I would expect any such announcement to provide details on the skills and experience that this new leadership team has in running a CA. ‎For example, are they aware of section 8 of the Mozilla Root Store Policy?

_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

[Ryan Sleevi]

You didn't really leave room for productive discussion between your
options, did you? :)

As you can see from
https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#8-ca-operational-changes
, notification is required for certain changes - but that notification goes
to a Mozilla mail alias, not to the public lists. As such, one should not
presume that because of a lack of public discussion, there was a lack of
notice.

With respect to "rumor mill reported as fact", considering the people named
in the first article you mentioned include the CEO of Comodo CA and the
Chairman of the Board, it seems that the only way this would be "rumor
mill" is based on whether or not eweek and securityweek are reputable
organizations, right?

[Ryan Sleevi]

On Tue, Oct 31, 2017 at 3:44 PM, Peter Kurrasch via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Both articles are long on names, short on dates. I don't fault the authors
> for that but it is troubling that better information wasn't made available
> to them.
>
> When can we expect a proper announcement in this forum? I would expect any
> such announcement to provide details on the skills and experience that this
> new leadership team has in running a CA. ‎For example, are they aware of
> section 8 of the Mozilla Root Store Policy?
>

Such announcements are not part of the Mozilla Policy expectations. Could
you clarify why you expect such an announcement?

[m...@flanga.io]

Am Dienstag, 31. Oktober 2017 14:22:09 UTC+1 schrieb Kyle Hamilton:
> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business

So they sell multiple roots over to a company that is "the leader in Deep Packet Inspection (DPI) and we've got a lot going on in that space" and enable them to issue trusted certificates and mitm all encrypted connections with that? That is a good halloween joke!

[Peter Kurrasch]

The timing and content of any announcement is undoubtedly complicated, caused, in no small part, by legitimate needs for confidentiality against the goals of transparency. I have every reason to trust in the good judgment of Gerv and Kathleen in navigating that path with the interests of this community in mind. If there is more they are able to say on this matter, I hope that they will; if not, I will understand.

That said, I ‎hope someone will indeed say more about the reporting in these articles. There are 2 issues in particular that I think would be good to address at this time. The first is the use of the past tense (e.g. "has acquired") regarding the reported transaction. How much of the acquisition process has, in fact, transpired--if anything?

The second is ‎the meager explanation of what has transpired or is expected to transpire--again, if anything. Based on my understanding, there is (or will be) a change of legal ownership and leadership. Accordingly, is a review of the new ownership warranted? Bringing together a CA with a Deep Packet Inspection business certainly is...uncomfortable.

It is my sincere hope that someone will come forward and provide some clarity, even if just to say this is fake news.

From: Ryan Sleevi Sent: Tuesday, October 31, 2017 2:59 PM‎ To: Peter Kurrasch Reply To: ry...@sleevi.com Cc: mozilla-dev-security-policy Subject: Re: Francisco Partners acquires Comodo certificate authority business

[Gervase Markham]

On 31/10/17 13:21, Kyle Hamilton wrote:
> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business

Comodo notified Mozilla of this impending acquisition privately in
advance, and requested confidentiality, which we granted. Now that the
acquisition is public, it is reasonable for the community to have a
discussion about the implications for Mozilla's trust of Comodo, if any.

However, there is also another wrinkle to iron out. Our policy 2.5 says:
"If the receiving or acquiring company is new to the Mozilla root
program, there MUST be a public discussion regarding their admittance to
the root program, which Mozilla must resolve with a positive conclusion
before issuance is permitted."

I personally feel that this is a bug, in that technically it says that
as soon as a deal closes and is announced, the CA has to stop issuance
entirely until the Mozilla community has had a discussion and given the
OK. I believe that's not reasonable and would create massive business
disruption if the letter of that rule were enforced strictly. I think
that when we wrote the policy, we didn't anticipate the situation where
the buyer would be confidential until closing. (Compare Digimantec,
where it's not.)

So it would also be useful to have a discussion about what this section
of the policy should actually say.

Gerv

[Robin Alden]

> -----Original Message-----
> From: Gerv
> Subject: Re: Francisco Partners acquires Comodo certificate authority
business
>

> On 31/10/17 13:21, Kyle Hamilton wrote:
> > http://www.eweek.com/security/francisco-partners-acquires-comodo-s-
> certificate-authority-business
>
> Comodo notified Mozilla of this impending acquisition privately in
> advance, and requested confidentiality, which we granted. Now that the
> acquisition is public, it is reasonable for the community to have a
> discussion about the implications for Mozilla's trust of Comodo, if any.

http://www.businesswire.com/news/home/20171031005584/en/Francisco-Partners-A
nnounces-Acquisition-Comodo%E2%80%99s-Certificate-Authority

We can confirm that a majority stake in Comodo CA Ltd. has been acquired by
Francisco Partners.

The deal has closed, i.e. the transaction is complete.

We are conscious of the requirements of section 8 of the Mozilla Root Store
Policy.

As you have seen from the announcement, we have a new CEO and new Chairman
who have prior experience in managing a trusted CA organization.

There are to be no resultant changes to our CPS, our operations, our
business policies or procedures, or the secure locations from which we
operate our CA infrastructure.

The operational personnel in Comodo CA Limited will not change. The
certificate validation teams will remain unchanged.

Regards
Robin Alden & Rob Stradling
Comodo CA Ltd.

[Robin Alden]

Peter,
As you noted in your post to the cryptography list, Francisco
Partners' website states that they exited from their investment in Blue
Coat.
https://www.franciscopartners.com/investments/blue-coat?sector=Comms-Securit
y&r=1200

Regards
Robin Alden
Comodo

> -----Original Message-----
> From: Peter Gutmann
> via dev-security-policy
> Sent: 01 November 2017 04:08
> To: mozilla-dev-s...@lists.mozilla.org; m...@flanga.io
> Subject: Re: Francisco Partners acquires Comodo certificate authority
business
>

> mw--- via dev-security-policy <dev-secur...@lists.mozilla.org>
writes:

>
> >So they sell multiple roots over to a company that is "the leader in Deep
> >Packet Inspection (DPI) and we've got a lot going on in that space" and
> >enable them to issue trusted certificates and mitm all encrypted
connections
> >with that? That is a good halloween joke!
>

> Francisco Partners is more a general investment company, but in that
regard
> they also have a stake in firms like Blue Coat, whose products have been
used
> by repressive regimes against their citizens.
>
> Still, it's amusing that a perfect mechanism for performing MITM attacks
is
> now controlled by a company who has other arms that actively perform MITM
> attacks.
>
> Peter.

[westm...@gmail.com]

Hello,

Why you're removed the post of Peter Gutmann (Nov. 1, 2017, 4:08)?

If I understand correctly, at the time of the public discussion for new root certificates SSL.com (RA Comodo) Mozilla concealed information about the acquisition of SSL business of Comodo and that now the past public discussion about new root certificates SSL.com can be considered incorrect on this moment of time.

Regards,
Andrew.

[Paul Kehrer]

On November 1, 2017 at 2:23:17 PM, westmail24--- via dev-security-policy (
dev-secur...@lists.mozilla.org) wrote:

Hello,

If I understand correctly, at the time of the public discussion for new
root certificates SSL.com (RA Comodo) Mozilla concealed information about
the acquisition of SSL business of Comodo and that now the past public
discussion about new root certificates SSL.com can be considered incorrect
on this moment of time.

I don't think it's going to be a productive avenue of discussion to imply
Mozilla acted in bad faith with regard to private knowledge of an impending
sale.

If people are seriously concerned by these sorts of transactions I'd urge
them to participate in discussions around mandatory CT as that provides
technical means to document the hypothetical malfeasance they're concerned
about.

-Paul

[Kathleen Wilson]

Please forward the missing email from Peter Gutmann to me.

I do not know if it is related, but we have been experiencing problems
with groups.google.com:

https://bugzilla.mozilla.org/show_bug.cgi?id=1412993

Kathleen

[Leo Grove]

Andrew,

I'm not sure where you got your information, but SSL.com is a completely separate company from Comodo. We are based in Houston, Texas.

Although we have a reseller agreement with Comodo, which is quite common among CAs in the industry, we are not an RA of Comodo as we cannot do our own validation on certificates chained to Comodo's Root certificates.

Regards,

Leo Grove

[Peter Kurrasch]

I could see introducing something of a probationary period of, say, 6 weeks for a public review and discussion, post-acquisition. As a sign of good faith, Mozilla would allow the new entity to continue to issue end-entity certificates. Also as a sign of good faith, the acquirer would agree not to make changes to staff, infrastructure, keys, and so forth and will abstain from changing the interconnectedness of root and intermediate certs.

The idea here being that if we should encounter something that is not acceptable, we need the ability to undo any actions taken during the probationary period. I was thinking 6 weeks would allow enough business days for people to investigate any issues that might arise and accommodate vacation schedules and such. I also think the probationary period would be granted under only certain circumstances--that is, not every acquirer will necessarily qualify.

From: Gervase Markham via dev-security-policy Sent: Wednesday, November 1, 2017 6:04 AM To: mozilla-dev-s...@lists.mozilla.org Reply To: Gervase Markham Subject: Re: Francisco Partners acquires Comodo certificate authority business

On 31/10/17 13:21, Kyle Hamilton wrote:
> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business

Comodo notified Mozilla of this impending acquisition privately in
advance, and requested confidentiality, which we granted. Now that the
acquisition is public, it is reasonable for the community to have a
discussion about the implications for Mozilla's trust of Comodo, if any.

However, there is also another wrinkle to iron out. Our policy 2.5 says:
"If the receiving or acquiring company is new to the Mozilla root
program, there MUST be a public discussion regarding their admittance to
the root program, which Mozilla must resolve with a positive conclusion
before issuance is permitted."

I personally feel that this is a bug, in that technically it says that
as soon as a deal closes and is announced, the CA has to stop issuance
entirely until the Mozilla community has had a discussion and given the
OK. I believe that's not reasonable and would create massive business
disruption if the letter of that rule were enforced strictly. I think
that when we wrote the policy, we didn't anticipate the situation where
the buyer would be confidential until closing. (Compare Digimantec,
where it's not.)

So it would also be useful to have a discussion about what this section
of the policy should actually say.

Gerv

[westm...@gmail.com]

Hello Peter,

But what prevents Francisco Partners making security nightmare after the probationary period? This is logical, I think.

Regards,
Andrew

[Peter Kurrasch]

There's always a risk that a CA owner will create a security nightmare when we aren't looking, probationary period or not. In theory regular audits help to prevent it, but even in cases where they don't, people are free to raise concerns as they come up. I think we've had examples of exactly that in both StartCom and Symantec.‎ 

Perhaps one way to think of it is: Do we have reason to believe that the acquiring organization, leadership, etc. will probably make good decisions in the furtherance of public trust on the Internet? For a company that is a complete unknown, I would say that no evidence exists and therefore a public review prior to the acquisition is appropriate. If we do have sufficient evidence, perhaps it's OK to let the acquisition go through and have a public discussion afterwards.

The Francisco Partners situation is more complicated, however. Francisco Partners itself does not strike me as the sort of company that should own a CA but only because they are investors and not a public trust firm of some sort. That said, they are smart enough to bring in a leadership team that does have knowledge and experience in this space. Unfortunately, though, they are also bringing in a Deep Packet Inspection business which is antithetical to public trust. So what is one to conclude?

The reporting that I've seen seem to indicate that Francisco Partners will not (will never?) combine ‎PKI and DPI into a single business operation. They have to know that doing so would be ruinous to their CA investment. If we assume they know that and if we are willing to take them at their word, I suppose it's reasonable to "allow" the transfer as it relates to Mozilla policy. If we should learn later on that that trust was misplaced, I'm sure we will discuss it and take appropriate action at that time.

From: westmail24--- via dev-security-policy Sent: Wednesday, November 8, 2017 7:50 PM To: mozilla-dev-s...@lists.mozilla.org

[Peter Bachman]

On Tuesday, October 31, 2017 at 9:22:09 AM UTC-4, Kyle Hamilton wrote:
> http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business

I did a little spot check. So yes they hired a person who was involved with Entrust, so that is a plus. The website says it is an IP carve out. OK. Does this translate into knowledge so a consumer can make a rational trust decision?

I looked at their most recent CPS while shopping for a client email certificate.

3.2.7.1.
Personal Secure Email Certificate
The only identifying information in the subject DN is the email address of t
he Subscriber. Comodo validates the right for the Applicant to use the submitted email address. This is achieved through
the delivery via a challenge and response made to the email address submitted during the Certificate application.
Comodo validates that the Applicant holds the private key corresponding with a public key to be included in the Certificate by utilizing an online enrollment process whereby Comodo facilitates the Subscriber generating its key
pair using a specially crafted web page. The key pair is
generated in the Subscriber’s computer. The private key is not exported or transferred from the Subscriber’s computer as part of the application process.

This was previously "Free" and now is billed at $12, but no matter. I clicked on the chat window and spoke to a technical support rep. I asked what NIST Level of Assurance was the S/MIME certificate, after about 10 minutes I got the answer, which was LOA 3.

So as a consumer I was just told I could get a NIST LOA 3 S/MIME client and signing certificate for $12, that according to the website also would be trusted by Mozilla, etc. Of course I know that's not possible, and we can't always expect random support people to give the right answer. So what is the value add here from Francisco Partners, other than the previously "Free" certificate is now $12 and claimed to be at LOA 3?

[Wayne Thayer]

On Thu, Nov 9, 2017 at 1:25 PM, Peter Kurrasch via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> There's always a risk that a CA owner will create a security nightmare
> when we aren't looking, probationary period or not. In theory regular
> audits help to prevent it, but even in cases where they don't, people are
> free to raise concerns as they come up. I think we've had examples of
> exactly that in both StartCom and Symantec.‎
>

I agree. What we're really talking about here is the removal of trust in a
CA based on new information. In the case of an acquisition, that
information may not be publicly available until after a deal is completed,
making the current requirement to halt issuance very disruptive. I'd modify
section 8.1 of the policy to distinguish an acquisition of the CA
operations from a purchase of a root key, and only require approval prior
to issuance in the latter case.

>
>
Perhaps one way to think of it is: Do we have reason to believe that the
> acquiring organization, leadership, etc. will probably make good decisions
> in the furtherance of public trust on the Internet? For a company that is a
> complete unknown, I would say that no evidence exists and therefore a
> public review prior to the acquisition is appropriate. If we do have
> sufficient evidence, perhaps it's OK to let the acquisition go through and
> have a public discussion afterwards.
>

The CA should be responsible for providing information about the effect of
the acquisition on their operations. In this case, Robin provided some
essentials:

>As you have seen from the announcement, we have a new CEO and new Chairman
>who have prior experience in managing a trusted CA organization.
>
>There are to be no resultant changes to our CPS, our operations, our
>business policies or procedures, or the secure locations from which we
>operate our CA infrastructure.
>
>The operational personnel in Comodo CA Limited will not change. The
>certificate validation teams will remain unchanged.

The policy already requires the CA to disclose any CPS changes. I'd add a
requirement that the CA provide a public statement describing all material
changes that will be made as a result of the acquisition. That statement
should be signed by Senior management of the acquiring company. The CA
should also [obviously] be expected to answer any reasonable questions that
are raised during the discussion period.