Sectigo to Be Acquired by GI Partners

[Ben Wilson]

As announced previously by Rob Stradling, there is an agreement for
private investment firm GI Partners, out of San Francisco, CA, to acquire
Sectigo. Press release:
https://sectigo.com/resource-library/sectigo-to-be-acquired-by-gi-partners.


I am treating this as a change of legal ownership covered by section 8.1
<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#81-change-in-legal-ownership>
of the Mozilla Root Store Policy, which states:

> If the receiving or acquiring company is new to the Mozilla root program,
> it must demonstrate compliance with the entirety of this policy and there
> MUST be a public discussion regarding their admittance to the root
program,
> which Mozilla must resolve with a positive conclusion in order for the
> affected certificate(s) to remain in the root program.

In order to comply with policy, I hereby formally announce the commencement
of a 3-week discussion period for this change in legal ownership of Sectigo
by requesting thoughtful and constructive feedback from the community.

Sectigo has already stated that it foresees no effect on its operations due
to this ownership change, and I believe that the acquisition announced by
Sectigo and GI Partners is compliant with Mozilla policy.

Thanks,

Ben

[Wayne Thayer]

Rob: what, if any, changes will be made to the Sectigo CP/CPS as a result
of this change of control?

Thanks,

Wayne

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Ryan Sleevi]

In a recent incident report [1], a representative of Sectigo noted:

The carve out from Comodo Group was a tough time for us. We had twenty
> years’ worth of completely intertwined systems that had to be disentangled
> ASAP, a vast hairball of legacy code to deal with, and a skeleton crew of
> employees that numbered well under half of what we needed to operate in any
> reasonable fashion.


This referred to the previous split [2] of the Comodo CA business from the
rest of Comodo businesses, and rebranding as Sectigo.

In addition to the questions posted by Wayne, I think it'd be useful to
confirm:

1. Is it expected that there will be similar system and/or infrastructure
migrations as part of this? Sectigo's foresight of "no effect on its
operations" leaves it a bit ambiguous whether this is meant as "practical"
effect (e.g. requiring a change of CP/CS or effective policies) or whether
this is meant as no "operational" impact (e.g. things will change, but
there's no disruption anticipated). It'd be useful to frame this response
in terms of any anticipated changes at all (from mundane, like updating the
logos on the website, to significant, such as any procedure/equipment
changes), rather than observed effects.

2. Is there a risk that such an acquisition might further reduce the crew
of employees to an even smaller number? Perhaps not immediately, but over
time, say the next two years, such as "eliminating redundancies" or
"streamlining operations"? I recognize that there's an opportunity such an
acquisition might allow for greater investment and/or scale, and so don't
want to presume the negative, but it would be good to get a clear
commitment as to that, similar to other acquisitions in the past (e.g.
Symantec CA operations by DigiCert)

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1648717#c21
[2]
https://groups.google.com/g/mozilla.dev.security.policy/c/AvGlsb4BAZo/m/p_qpnU9FBQAJ

On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy <

[Rob Stradling]

Hi Wayne. We are not currently planning any changes to our CP/CPS as a result of this change of control.

________________________________
From: dev-security-policy <dev-security-...@lists.mozilla.org> on behalf of Wayne Thayer via dev-security-policy <dev-secur...@lists.mozilla.org>
Sent: 02 October 2020 01:32
To: mozilla-dev-security-policy <mozilla-dev-s...@lists.mozilla.org>
Subject: Re: Sectigo to Be Acquired by GI Partners

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Rob: what, if any, changes will be made to the Sectigo CP/CPS as a result
of this change of control?

Thanks,

Wayne

On Thu, Oct 1, 2020 at 1:55 PM Ben Wilson via dev-security-policy <

[Rob Stradling]

Hi Ryan. Tim Callan posted a reply to your questions last week, but his message has not yet appeared on the list. Is it stuck in a moderation queue?

________________________________
From: dev-security-policy <dev-security-...@lists.mozilla.org> on behalf of Ryan Sleevi via dev-security-policy <dev-secur...@lists.mozilla.org>
Sent: 03 October 2020 22:16
To: Ben Wilson <bwi...@mozilla.com>
Cc: mozilla-dev-security-policy <mozilla-dev-s...@lists.mozilla.org>

Subject: Re: Sectigo to Be Acquired by GI Partners

On Thu, Oct 1, 2020 at 4:55 PM Ben Wilson via dev-security-policy <

[Tim Callan]

On Saturday, October 3, 2020 at 5:16:41 PM UTC-4, Ryan Sleevi wrote:
> 1. Is it expected that there will be similar system and/or infrastructure
> migrations as part of this? Sectigo's foresight of "no effect on its
> operations" leaves it a bit ambiguous whether this is meant as "practical"
> effect (e.g. requiring a change of CP/CS or effective policies) or whether
> this is meant as no "operational" impact (e.g. things will change, but
> there's no disruption anticipated). It'd be useful to frame this response
> in terms of any anticipated changes at all (from mundane, like updating the
> logos on the website, to significant, such as any procedure/equipment
> changes), rather than observed effects.

Sorry if our earlier message wasn’t clear. We foresee no disruptions, challenges, or special needs owing to the change of control. We anticipate no meaningful changes required to policies, operations, or personnel. This change of control is fundamentally different from the Comodo CA carve-out in that there is exactly one going-forward concern. When we broke away from Comodo Group, we had to disentangle systems, data, processes, offices, web sites, employee responsibilities, vendor relationships, contracts, and more. In this case the required changes are virtually nothing. Our new ownership expects us to continue the arc the company is on now, including service offerings, brands, sites, etc.

> 2. Is there a risk that such an acquisition might further reduce the crew
> of employees to an even smaller number? Perhaps not immediately, but over
> time, say the next two years, such as "eliminating redundancies" or
> "streamlining operations"? I recognize that there's an opportunity such an
> acquisition might allow for greater investment and/or scale, and so don't
> want to presume the negative, but it would be good to get a clear
> commitment as to that, similar to other acquisitions in the past (e.g.
> Symantec CA operations by DigiCert)

There is nothing to suggest that such cuts are coming. The reason the company that’s now called Sectigo started with what we described as a skeleton crew is that many employees who had been sometime contributors to the CA business wound up staying behind with Comodo Group. We more than doubled the size of the company in the first year as we recruited to fill those gaps. By way of example, of the ten executives listed on our Leadership page, only two of them were part of the business prior to the carve-out.

Once again, this time is radically different. We have been growing in revenue and headcount, and there is no reason to expect any kind of contraction. The new ownership at GI Partners has expressed the desire to see our continued growth, and we expect them to make the appropriate investments to fuel that. We have not had and do not anticipate any layoffs, “streamlining,” etc. as part of this change of control.

[Jakob Bohm]

Hi Rob,

The e-mail you quote below seems to be inadvertently "confirming" some
suspicions that someone else posed as questions. I think the group as a
whole would love to have actual specific answers to those original
questions.

Remember to always add an extra layer of ">" indents for each level of
message quoting, so as to not misattribute text.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Matt Palmer]

On Fri, Oct 09, 2020 at 06:33:22AM -0700, Tim Callan via dev-security-policy wrote:
> We anticipate no meaningful changes required to policies, operations, or personnel.

[...]

> In this case the required changes are virtually nothing.

These statements concern me somewhat, as reasonable people may have
differing thresholds for "meaningful" and "virtually". Whilst publicly
enumerating every possible change is impossible, I would urge Sectigo to err
on the side of caution when it comes to evaulating whether a change is
"meaningful". Given Sectigo's long and storied history of failures to
meaningfully engage with the Mozilla community on Sectigo's misadventures, I
doubt there is much appetite for a future in which "oh, we didn't think
*that* was a meaningful change" figures heavily in incident reports.

- Matt

[Tim Callan]

On Monday, October 12, 2020 at 6:28:06 PM UTC-4, Matt Palmer wrote:
Matt,

We can accurately remove the word meaningful from the earlier statement: We anticipate no changes required to policies, operations, or personnel. If any changes do occur in the future, we will of course update our CPS and inform the community.

[Rob Stradling]

Hi Jacob. I don't believe that this list mandates any particular posting style [https://en.wikipedia.org/wiki/Posting_style].

Although interleaved/inline posting is my preferred style, I'm stuck using Outlook365 as my mail client these days. (Sadly, Thunderbird's usability worsened dramatically for me after Sectigo moved corporate email to Office365 a few years ago). So this is the situation I find myself in...

"This widespread policy in business communication made bottom and inline posting so unknown among most users that some of the most popular email programs no longer support the traditional posting style. For example, Microsoft Outlook, AOL, and Yahoo! make it difficult or impossible to indicate which part of a message is the quoted original or do not let users insert comments between parts of the original."
[https://en.wikipedia.org/wiki/Posting_style#Quoting_support_in_popular_mail_clients]

________________________________
From: dev-security-policy <dev-security-...@lists.mozilla.org> on behalf of Jakob Bohm via dev-security-policy <dev-secur...@lists.mozilla.org>
Sent: 12 October 2020 22:41
To: mozilla-dev-s...@lists.mozilla.org <mozilla-dev-s...@lists.mozilla.org>

Subject: Re: Sectigo to Be Acquired by GI Partners

Hi Rob,

The e-mail you quote below seems to be inadvertently "confirming" some
suspicions that someone else posed as questions. I think the group as a
whole would love to have actual specific answers to those original
questions.

Remember to always add an extra layer of ">" indents for each level of
message quoting, so as to not misattribute text.

On 2020-10-12 10:43, Rob Stradling wrote:

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Jakob Bohm]

On 2020-10-15 16:46, Rob Stradling wrote:
> Hi Jacob. I don't believe that this list mandates any particular posting style [https://en.wikipedia.org/wiki/Posting_style].
>
> Although interleaved/inline posting is my preferred style, I'm stuck using Outlook365 as my mail client these days. (Sadly, Thunderbird's usability worsened dramatically for me after Sectigo moved corporate email to Office365 a few years ago). So this is the situation I find myself in...
>
> "This widespread policy in business communication made bottom and inline posting so unknown among most users that some of the most popular email programs no longer support the traditional posting style. For example, Microsoft Outlook, AOL, and Yahoo! make it difficult or impossible to indicate which part of a message is the quoted original or do not let users insert comments between parts of the original."
> [https://en.wikipedia.org/wiki/Posting_style#Quoting_support_in_popular_mail_clients]
>

I realized that the problem was caused by broken client software, and
was pointing out than in this case, it had led to a specific lack of
clarity and was asking for clarification of what meaning was intended.

[Rob Stradling]

> ...clarification of what meaning was intended.

Merely this...

[Jakob Bohm]

The part needing clarification started with:

> In addition to the questions posted by Wayne, I think it'd be useful
> to confirm:

> ...

[Rob Stradling]

Jakob wrote:
> The part needing clarification started with:
>

> > In addition to the questions posted by Wayne, I think it'd be useful
> > to confirm:

> > ...

I did not address that part of Ryan's post, but Tim's delayed message did address it.

See https://www.mail-archive.com/dev-secur...@lists.mozilla.org/msg13782.html
and https://www.mail-archive.com/dev-secur...@lists.mozilla.org/msg13795.html

The only​ purpose of my post was to say that Tim had posted a message that (we believed) had got stuck in a moderation queue. I felt that I needed to post my message because Mozilla expects CAs to answer questions in a timely fashion (see https://wiki.mozilla.org/CA/Responding_To_An_Incident#Keeping_Us_Informed).

When a reply from a CA representative doesn't appear on the list, it might look like the CA is not answering questions in a timely fashion. It would not be fair for any CA to be penalized just because there's a moderation queue for some messages and/or participants.