Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Considering this is open: https://bugzilla.mozilla.org/show_bug.cgi?id=1893546 I do think that such a temporary grant does not make sense. e-commerce has so far not showed themselves to be a good steward of public trust. What are the implications of e-commerce being distrusted by Mozilla, especially since they can't get their auditors in order? The requirement for the auditors being part of ACAB was made nearly 2 years ago. According to crt.sh, e-commerce has ~150 active certificates. I'm not entirely sure why an exception should be made for them & the auditor they have picked? Thanks, Amir On Tuesday, April 30, 2024 at 5:15:41 PM UTC-4 Ben Wilson wrote: > Hi Amir, > > Here is a quick update on this issue, while I continue working on a > summary of the discussion concerning the acquisition of e-commerce > monitoring by AUSTRIA CARD. > > Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) > has required that ETSI auditors be members of the Accredited Conformity > Assessment Bodies' Council (ACAB'c). One of the underlying reasons for > adopting this requirement was to ensure consistency in auditor > qualifications, guidance, and attestation letters. The ACAB’c membership > requirement continues to help improve the quality of ETSI audits. However, > the MRSP also allows Mozilla to temporarily waive the ACAB’c membership > requirement under certain circumstances. > > e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure > Information Technology Center – Austria). According to Herbert Leithold, > Executive Director of A-SIT, “A-SIT is a government-funded information > security organisation with formal duties that require strict neutrality and > independency.” For this reason, A-SIT asserts that it is precluded from > joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has > otherwise met auditor qualification requirements and its audits have > conformed to templates provided by the ACAB’c. > > We are considering whether to grant a temporary approval of A-SIT as an > exception to the ACAB’c membership requirement. Such temporary approval > would be subject to periodic re-evaluation, and likely it would eventually > be withdrawn. We sincerely appreciate everyone's contributions as they > facilitate our ability to make well-informed decisions. We kindly request > your insightful perspectives and opinions. > > Thanks, > > Ben > > > On Fri, Apr 26, 2024 at 12:09 PM Amir Omidi (aaomidi) > wrote: > >> Did you ever hear from them? >> >> On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: >> >>> All, >>> March 1 was the scheduled end of public discussion on this matter. >>> However, I have one unresolved question that I have presented to the CA >>> operator and its audit firm regarding ACAB'c membership (see MRSP section >>> 3.2). As soon as I hear back on that question, I'll provide a summary of >>> the entire discussion here. >>> Thanks, >>> Ben >>> >>> On Friday, February 23, 2024 at 7:36:13 AM UTC-7 >>> regist...@e-monitoring.at wrote: >>> *Preface* The only thing that changed is the ownership, and the ownership is represented by the new management. This only formal change has already been notified to the authorities and approved and registered. The rest remains unchanged. e-commerce monitoring GmbH fulfills different trust service requirements from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, remains a member of the European Trust List (EUTL) as before and is permanently monitored by the Austrian Supervisory Body (RTR/TKK) and regularly assessed by a Conformity Assessment Body. The management has changed from Hans G. Zeger to Emmanouil Kontos and Markus Kirchmayr. The takeover of the company includes the taking over of the existing, trained and trusted staff which results in no changes except top management. e-commerce monitoring GmbH continues to provide certification and trust services according to the respective policies. It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully comply with the Browser/OS Root Store Policies. *Ownership and Governance* The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD HOLDINGS AG). AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries in Europe and the USA (please find more details in the prospectus on AUSTRIACARD´s
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Hi Amir, Here is a quick update on this issue, while I continue working on a summary of the discussion concerning the acquisition of e-commerce monitoring by AUSTRIA CARD. Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) has required that ETSI auditors be members of the Accredited Conformity Assessment Bodies' Council (ACAB'c). One of the underlying reasons for adopting this requirement was to ensure consistency in auditor qualifications, guidance, and attestation letters. The ACAB’c membership requirement continues to help improve the quality of ETSI audits. However, the MRSP also allows Mozilla to temporarily waive the ACAB’c membership requirement under certain circumstances. e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure Information Technology Center – Austria). According to Herbert Leithold, Executive Director of A-SIT, “A-SIT is a government-funded information security organisation with formal duties that require strict neutrality and independency.” For this reason, A-SIT asserts that it is precluded from joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has otherwise met auditor qualification requirements and its audits have conformed to templates provided by the ACAB’c. We are considering whether to grant a temporary approval of A-SIT as an exception to the ACAB’c membership requirement. Such temporary approval would be subject to periodic re-evaluation, and likely it would eventually be withdrawn. We sincerely appreciate everyone's contributions as they facilitate our ability to make well-informed decisions. We kindly request your insightful perspectives and opinions. Thanks, Ben On Fri, Apr 26, 2024 at 12:09 PM Amir Omidi (aaomidi) wrote: > Did you ever hear from them? > > On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: > >> All, >> March 1 was the scheduled end of public discussion on this matter. >> However, I have one unresolved question that I have presented to the CA >> operator and its audit firm regarding ACAB'c membership (see MRSP section >> 3.2). As soon as I hear back on that question, I'll provide a summary of >> the entire discussion here. >> Thanks, >> Ben >> >> On Friday, February 23, 2024 at 7:36:13 AM UTC-7 >> regist...@e-monitoring.at wrote: >> >>> *Preface* >>> >>> The only thing that changed is the ownership, and the ownership is >>> represented by the new management. This only formal change has already been >>> notified to the authorities and approved and registered. The rest remains >>> unchanged. >>> >>> e-commerce monitoring GmbH fulfills different trust service requirements >>> from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, >>> remains a member of the European Trust List (EUTL) as before and is >>> permanently monitored by the Austrian Supervisory Body (RTR/TKK) and >>> regularly assessed by a Conformity Assessment Body. >>> >>> The management has changed from Hans G. Zeger to Emmanouil Kontos and >>> Markus Kirchmayr. The takeover of the company includes the taking over of >>> the existing, trained and trusted staff which results in no changes except >>> top management. e-commerce monitoring GmbH continues to provide >>> certification and trust services according to the respective policies. >>> >>> It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme >>> Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully >>> comply with the Browser/OS Root Store Policies. >>> >>> >>> *Ownership and Governance* >>> >>> The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of >>> e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme >>> Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD >>> HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und >>> Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD >>> HOLDINGS AG). >>> >>> AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries >>> in Europe and the USA (please find more details in the prospectus on >>> AUSTRIACARD´s website ( >>> https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf >>> ) >>> >>> Emmanouil Kontos is the Managing Director of the company and authorized >>> to represent the company solely. Markus Kirchmayr is authorized to >>> represent the company jointly with Emmanouil Kontos. Both will not take any >>> trusted roles in the CA operations. >>> >>> e-commerce monitoring GmbH is maintaining the Key Management as well as >>> the respective roles of Key Manager and Key Custodian through the existing, >>> trained and trusted staff >>> >>> Major decisions regarding finance and management topics are made by the >>> Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr >>> Major decisions regarding operative topics are made by the Managing >>> Director Emmanouil Kontos in
