1463597 - Camerfirma: Acquisition by InfoCert

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Wayne Thayer]

This bug is intended to track approval of the InfoCert acquisition of Camerfirma as required by section 8.1 of the Mozilla root store policy.

News of the acquisition was first published on May 4th, 2018.

Camerfirma notified Mozilla on May 17th, 2018.

Camerfirma estimates that the transaction will close in mid-late June. Camerfirma states that they cannot answer questions about the acquisition before it closes.

I will appreciate InfoCert's answers to the following questions as soon as possible:
* Can you confirm that AC Camerfirma's entire CA operation has been acquired? This means that all of the roots, systems, policies, people, and infrastructure are not changing.
* Have any CP/CPS changes occurred, or do you expect any changes to occur as the result of this transaction? If yes, please describe them.
* Are you undergoing any additional audits, or do you expect any changes in the status of your audits or compliance certificates as the result of this transaction?
* Please describe the management changes that will result from this transaction.
* Please describe any changes to personnel that will result from this transaction.
* Please describe any changes to policies that will result from this transaction.
* Please describe any changes to systems that will happen as a result of this transaction.
* Please describe any other changes that will result from this transaction.
* Why was Mozilla not notified of this transaction 2 weeks ago when it was announced?

Please post your responses here and to the mozilla.dev.security.policy thread that I have started on this topic.

Comment 1

[Juan Angel Martin]

I've been authorized by Infocert to give these answers:

* Can you confirm that the entire CA operation has been acquired? This means that all of the roots, systems, policies, people, and infrastructure are not changing.
-> Yes
 
* Have any CP/CPS changes occurred, or do you expect any change to occur as the result of this transaction?
-> No
 
* Are you undergoing any additional audits, or do you expect any changes in the status of your audits or compliance certificates as the result of this transaction?
-> No
 
* Please describe the management changes that will result from this transaction
-> No changes are expected in the management
 
* Please describe any changes to personnel that will result from this transaction
-> No changes are expected to personnel 
 
* Please describe any changes to policies that will result from this transaction
-> No changes are expected to policies
 
* Please describe any changes to systems that will happen as a result of this transaction
-> No changes are expected to systems
 
* Please describe any other changes that will result from this transaction
-> No changes are expected
 
* Why was Mozilla not notified of this transaction 2 weeks ago when it was announced?
-> The operation is already public but it's necessary to wait until it has been done in the Spanish government's public registry. This point determines the effectiveness of the operation with third parties.

Comment 2

[Wayne Thayer]

Began a public discussion of this acquisition per policy section 8.1: https://groups.google.com/d/msg/mozilla.dev.security.policy/NyfFMsjnGrc/uypf71CyBwAJ

I noted that Camerfirma's annual audit reports are overdue.

Comment 3

[Wayne Thayer]

Asked for any final comments by 30-September.

Also referenced bug 1478933 on qualified audits.

Comment 4

[Wayne Thayer]

This acquisition discussion ended with a positive conclusion: https://groups.google.com/d/msg/mozilla.dev.security.policy/NyfFMsjnGrc/uypf71CyBwAJ