Dear Mozilla Community, Over the past couple of months, a substantial number of compliance incidents have arisen in relation to Entrust. We have summarized these recent incidents in a dedicated wiki page: https://wiki.mozilla.org/CA/Entrust_Issues. In brief, these incidents arose out of certificate mis-issuance due to a misunderstanding of the EV Guidelines, followed by numerous mistakes in incident handling (including a deliberate decision to continue mis-issuance), which have been compounded by a failure to remediate the issues in a timely fashion in line with well-established norms and root store requirements.
Our preliminary assessment of these incidents is that while they were relatively minor initially, the poor incident response has substantially aggravated them and the progress towards full remediation remains unacceptably slow. This is particularly disappointing in light of previous incidents in 2020 (#1651481 <https://bugzilla.mozilla.org/show_bug.cgi?id=1651481> and #1648472 <https://bugzilla.mozilla.org/show_bug.cgi?id=1648472>), which arose out of similar misunderstandings of the requirements, similar poor decision-making in the initial response, and lengthy remediation periods that fell well below expectations. Entrust gave commitments <https://bugzilla.mozilla.org/show_bug.cgi?id=1651481#c17> in those bugs to address the root problems through process improvements, and it is concerning to see so little improvement 4 years later. In light of these recent incidents, we are requesting that Entrust produce a detailed report of them. This report should cover in detail: - The factors and root causes that lead to the initial incidents, highlighting commonalities among the incidents and any systemic failures; - Entrust’s initial incident handling and decision-making in response to these incidents, including any internal policies or protocols used by Entrust to guide their response and an evaluation of whether their decisions and overall response complied with Entrust’s policies, their practice statement, and the requirements of the Mozilla Root Program; - A detailed timeline of the remediation process and an apportionment of delays to root causes; and - An evaluation of how these recent issues compare to the historical issues referenced above and Entrust’s compliance with its previously stated commitments. Finally, Entrust’s report should include a detailed proposal on how it plans to address the root causes of these issues. In light of previous guarantees <https://bugzilla.mozilla.org/show_bug.cgi?id=1651481#c17> given by Entrust in 2020 to ensure speedy remediation in future incidents, this proposal should include: - Clear and concrete steps that Entrust proposes to take to address the root causes of these incidents and delayed remediation; - Measurable and objective criteria for Mozilla and the community to evaluate Entrust’s progress in deploying these solutions; and - A timeline for which Entrust will commit to meeting these criteria. We strongly recommend that Entrust go beyond their existing commitment <https://bugzilla.mozilla.org/show_bug.cgi?id=1886532#c0> to offer systematic, automated solutions for effective remediation, like ACME ARI and that it also include clear and measurable targets for the adoption of these tools by new and existing subscribers. This report should be submitted to Mozilla dev-security-policy mailing list for evaluation by the community and Mozilla, who will weigh whether Entrust’s report presents a credible and effective path towards re-establishing trust in Entrust’s operation. Submission should be no later than June 7, 2024. We thank community members for their engagement on these issues and look forward to their feedback on Entrust’s report and proposed commitments. Thanks, Ben Wilson Mozilla Root Program -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYURqFzRqVmJdc7fBXE1mbGs25HpSkp5wZ0Xm%2BRG0YHCA%40mail.gmail.com.
