*Preface* The only thing that changed is the ownership, and the ownership is represented by the new management. This only formal change has already been notified to the authorities and approved and registered. The rest remains unchanged.
e-commerce monitoring GmbH fulfills different trust service requirements from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, remains a member of the European Trust List (EUTL) as before and is permanently monitored by the Austrian Supervisory Body (RTR/TKK) and regularly assessed by a Conformity Assessment Body. The management has changed from Hans G. Zeger to Emmanouil Kontos and Markus Kirchmayr. The takeover of the company includes the taking over of the existing, trained and trusted staff which results in no changes except top management. e-commerce monitoring GmbH continues to provide certification and trust services according to the respective policies. It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully comply with the Browser/OS Root Store Policies. *Ownership and Governance* The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD HOLDINGS AG). AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries in Europe and the USA (please find more details in the prospectus on AUSTRIACARD´s website ( https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf ) Emmanouil Kontos is the Managing Director of the company and authorized to represent the company solely. Markus Kirchmayr is authorized to represent the company jointly with Emmanouil Kontos. Both will not take any trusted roles in the CA operations. e-commerce monitoring GmbH is maintaining the Key Management as well as the respective roles of Key Manager and Key Custodian through the existing, trained and trusted staff Major decisions regarding finance and management topics are made by the Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr Major decisions regarding operative topics are made by the Managing Director Emmanouil Kontos in consultation with the key manager. The decision making structure can be defined as follows: · Define the problem or decision that needs to be madeGather information and options · Analyze the information and options · Select the best option · Plan for implementation · Implement the plan *Investment and Budget* e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is classified as “große Kapitalgesellschaft” (large corporation) and therefore needs to comply with all regulations of the Austrian GmbHG (limited liabilities company Act) and UGB (Commercial Code). In addition e-commerce monitoring GmbH is therefore part of group of companies of AUSTRIACARD HOLDINGS AG, which is also classified as “große Kapitalgesellschaft” (large corporation) and in addition is a listed company on stock exchange in Vienna and Athens. Therefore AUSTRIACARD HOLDINGS AG needs to comply with all regulations of Austrian Aktiengesetz (Joint Stock Corporation Act) and Börsegesetz (Stock Exchange Act). AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H, with over 40 years of experience in providing high security solutions, is maintaining an Information Security Management System as part of the ISO 27001 framework which is certified and audited on a regular basis. Furthermore Austria Card has established security policies and process to comply and be certified according other security standards like ISO 14298 as well as Payment Card Industry standards PCI CP, PCI DSS and a qualification management system according to ISO 9001:2015. In the interest of fair competition we prefer not to disclose any strategic, budget or any other internal confidential information. *Community Engagement* e-commerce monitoring GmbH is committed to serving a diverse range of communities, both locally and globally. Further, we strive to create products and services that meet the needs of various demographics. Additionally, we prioritize inclusivity and accessibility, ensuring that our offerings are accessible to individuals from all walks of life. e-commerce monitoring GmbH is actively monitoring various legal information databases, other sources like Certification Authorities and Trust Service Providers portals by ETSI, the websites of CA Browser Forum and root store operators as well as participation and exchange of information with various industry partners through events and projects. Additionally, e-commerce monitoring GmbH has established partnerships with regulatory institutions, security researchers, certification partners as well as customer relations which pro-actively inform e-commerce monitoring GmbH regarding significant changes, requirements and risks concerning security and compliance throughout the whole Web PKI. *Employees* e-commerce monitoring GmbH has established policies like “GLOBALTRUST Certificate Policy” which continue to apply. For reference and directions please consult particularly sections 5.2 Procedural controls and 5.3 Personnel - Most recent: Version 3.2a / 16th February, 2024 controls https://service.globaltrust.eu/static/globaltrust-certificate-policy.pd <https://service.globaltrust.eu/static/globaltrust-certificate-policy.pdf> f - Prior: Version 3.2 / 19th August 2023: https://service.globaltrust.eu/static/globaltrust-certificate-policy.20230819.pdf There is no change to the staff in trusted roles. Employees in trusted roles remain as they have been. Only the top level management has been replaced. We are not able to disclose any background information on individuals. Skills and experience have been audited and, in part, are known to the Root Program responsible. e-commerce monitoring GmbH employs personnel with over 30 years of experience in cryptography, data protection and in general providing PKI technology solutions. The audited systems implemented by the trusted personnel of e-commerce monitoring GmbH are fulfilling different trust service requirements from ISO/IEC, eIDAS / ETSI, CAB Forum to root store policies which additionally are monitored on a regularly basis both through automated system and manual audit processes. Further, e-commerce monitoring GmbH monitors CA incidents and other relevant discussions over the following community groups: · Bugzilla platform (https://wiki.mozilla.org/CA/Incident_Dashboard) · dev-security-policy group hosted by Google ( https://groups.google.com/a/mozilla.org/g/dev-security-policy) · CCADB Public group hosted by Google ( https://groups.google.com/a/ccadb.org/g/public) · CAB Forum mailing lists: o https://lists.cabforum.org/mailman/listinfo/netsec o https://lists.cabforum.org/mailman/listinfo/public o https://lists.cabforum.org/mailman/listinfo/smcwg-public o https://lists.cabforum.org/mailman/listinfo/validation o https://lists.cabforum.org/mailman/listinfo/servercert-wg *Operational Design and Ongoing GRC Management* e-commerce monitoring GmbH are designed, built and maintained according to the requirements including but not limited to ISO/IEC, eIDAS / ETSI, CAB Forum, root store policies as well as the established policies by GLOBALTRUST. Additionally, these systems have a continuous audit history carried out by qualified accredited bodies. The most recent RootCA GLOBALTRUST 2020 has a gapless cradle-to-the-grave audit including a key ceremony report and EV readiness attestation. e-commerce monitoring GmbH maintains extensive public and internal documentation which additionally has been presented to and audited by the Austrian supervisory body (RTR/TKK). The audited systems enforce various automated controls and tests including but not limited to pre-issuance linting tests utilizing the well-known open source tools. e-commerce monitoring GmbH has implemented automated monitoring systems that permanently evaluate the system security parameters, performance, availability and the resulting quality KPIs of the trusted services. Deviations from the expected quality KPIs trigger the notification and remediation process of our trained IT personnel during working hours and standby. Additionally, manual and automated self-audits are carried out on a quarterly basis against a random percentage of all issued certificates as required. *Auditing* e-commerce monitoring GmbH will continue to be evaluated by the auditor “A-SIT Zentrum für sichere Informationstechnologie” – Austria under the eIDAS / ETSI audit scheme. The most recent audit attestation including auditor’s accreditation scope and team qualification can be found under the provided URl and follows the ACAB-c template in its most recent version: https://www.a-sit.at/wp-content/uploads/2023/05/VIG-23-044_audit-attestation_globaltrust-etsi-2023_final_signed.pdf The most recent eIDAS conformity assessment report can be found here: https://service.globaltrust.eu/static/conformity-assessment-2023.pdf Here is a quick bottom-up way to reproduce the auditor's qualifications: - Accreditation scope A-SIT: https://akkreditierung-austria.gv.at/overview (see A-SIT) - Notification of A-SIT as CAB: (Name “Zentrum für sichere Informationstechnologie – Austria“ Acronym: “A-SIT”) - Notification of Akkreditierung Austria as NAB: https://eidas.ec.europa.eu/efda/browse/notification/cab-nab - Accreditation / “Akkreditierung Austria” at EA: https://european-accreditation.org/ea-members/directory-of-ea-members-and-mla-signatories/ A-SIT has been recorded as auditor in the CCADB with Audit Firm Confidence Status as evaluated by Root Store Managers “High” https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH <https://ccadb.my.site.com/s/detail/a0F1J00001ICCfqUAH> On Thursday, February 8, 2024 at 1:19:33 PM UTC+1 e-commerce monitoring wrote: > Dear All, > > e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA > CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is > classified as “große Kapitalgesellschaft” (large corporation) and therefore > needs to comply with all regulations of the Austrian GmbHG (limited > liabilities company Act) and UGB (Commercial Code). > > e-commerce monitoring GmbH was taken over as a fully functional and > independent entity inside the AUSTRIA CARD group of companies. The > certified policies, processes and commitments of e-commerce monitoring GmbH > continue to apply. > > The takeover of the company also includes the taking over of the > established staff which results in no changes except top management and > e-commerce monitoring GmbH will continue to adhere and operate according to > the respective policies. > > Best regards, > Daniel > > On Wednesday, February 7, 2024 at 12:22:36 AM UTC+1 Ben Wilson wrote: > >> Hi Aaron, >> >> On Tue, Feb 6, 2024 at 3:00 PM Aaron Gable <aa...@letsencrypt.org> wrote: >> >>> e-commerce monitoring GmbH currently has multiple open bugzilla tickets >>> which have not had any updates from their staff in multiple months: >>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1815534 >>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1862004 >>> >> >> Correct - the questions raised by these incidents still need to be >> answered. >> >> >>> Does the behavior of the CA being acquired factor into decisions like >>> this, or just the behavior of the acquiring entity? >>> >> >> The behavior of the entity being acquired and the capabilities and >> history of the acquiring company are relevant, going back for an >> unspecified period of time. (Factors to be considered in deciding how far >> to go back include the nature and severity of any non-compliance and the >> degree to which any incidents reveal persistent, systemic problems.) >> >> >>> If a distrust conversation were to arise in the future, how do root >>> programs ensure that bugs filed under previous corporate names are still >>> included in the analysis? >>> >> >> We have not experienced a lot of M&A/name-change activity recently. I >> believe the Mozilla Community has sufficient continuity, institutional >> memory, and community-based knowledge about the history of CA operators. >> So, I think this concern can be handled when needed with comments from >> community members, and changes in the names of CA operators should not >> require that we create a new tracking solution. (If incidents are >> sufficiently recent or still have relevance, then we could update the >> Bugzilla bugs "Summaries" by replacing the name of the previous operator >> with the name of the new entity when there is a name change or CA operator >> replacement.) >> >> Ben >> >> >>> >>> Thanks, >>> Aaron >>> >>> On Fri, Feb 2, 2024 at 5:25 PM Ben Wilson <bwi...@mozilla.com> wrote: >>> >>>> Dear Suchan, >>>> You make a valid point. However, in this case, I wasn't sure how other >>>> root stores would be handling this. They may have their own processes. >>>> Also, the distribution on this list is almost 3x greater than on the CCADB >>>> public list, so I decided to post the discussion here. >>>> If the other root stores want to have a public discussion of this >>>> acquisition, then we can start a discussion on CCADB Public, too. >>>> Sincerely yours, >>>> Ben >>>> >>>> On Fri, Feb 2, 2024 at 5:53 PM Suchan Seo <tjt...@gmail.com> wrote: >>>> >>>>> While not have knowledge to comment about acquire itself, doesn't >>>>> this more fit to ccadb mailing list? I thought root store policy about >>>>> individual root was moved to there >>>>> 2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성: >>>>> >>>>>> All, >>>>>> >>>>>> Recently we were advised that e-commerce monitoring GmbH is being >>>>>> acquired by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH. >>>>>> >>>>>> e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is >>>>>> included in the Mozilla root store. They have advised us of the >>>>>> following: >>>>>> >>>>>> There are no changes to the operation of the CA and RA functions. >>>>>> >>>>>> Changes to the corporate structure: >>>>>> >>>>>> - New shareholder: >>>>>> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. >>>>>> registered under the number FN 98272v commercial court Vienna >>>>>> Lamezanstraße 4-8 >>>>>> 1230 Vienna, Austria >>>>>> https://www.austriacard.com/ >>>>>> >>>>>> - New Management >>>>>> new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos >>>>>> new: Attorney ("Prokurist") Mr. Markus Kirchmayr >>>>>> old: CEO Hans Zeger >>>>>> >>>>>> - Registered headquarter >>>>>> new: Handelskai 388/621, 1020 Vienna, Austria >>>>>> old: Redtenbachergasse 20, 1160 Vienna, Austria >>>>>> >>>>>> According to section 8.1 of the Mozilla Root Store Policy, “If the >>>>>> receiving or acquiring company is new to the Mozilla root store, it MUST >>>>>> demonstrate compliance with the entirety of this policy. There MUST be a >>>>>> public discussion regarding its admittance to the root store. If Mozilla >>>>>> reaches a positive conclusion after public discussion, then the affected >>>>>> certificate(s) MAY remain in the root store.” >>>>>> >>>>>> By this email, I am initiating a four-week public discussion period, >>>>>> scheduled to close on Friday, 1-March-2024, to allow for at least three >>>>>> full weeks of public discussion. The first week (Feb. 5 – 9) is intended >>>>>> to >>>>>> give the acquiring company time to address the following topics: >>>>>> >>>>>> · Compliance with the Mozilla Root Store Policy >>>>>> >>>>>> · Ownership and governance >>>>>> >>>>>> · Investment and budget for CA operations, risk management, >>>>>> and compliance >>>>>> >>>>>> · Community engagement and involvement in industry groups >>>>>> >>>>>> · Employee expertise and continuity >>>>>> >>>>>> · Operational design and ongoing GRC management >>>>>> >>>>>> · Auditors and auditing >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ben Wilson >>>>>> >>>>>> Mozilla Root Store Program >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "dev-secur...@mozilla.org" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to dev-security-po...@mozilla.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/53cd5a11-8934-4e43-b039-fa24c54511d0n%40mozilla.org.