Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
I just wanted to point out that e-commerce's communication is still very-very delayed: https://bugzilla.mozilla.org/show_bug.cgi?id=1893546#c1, https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c9 I think e-commerce is getting into the territory where we should really consider if they're a healthy member of the Mozilla root store. *Does anyone have any arguments on why e-commerce shouldn't be fast tracked to removal from root stores?* I know in the future we probably need to define certain criteria on how to handle non-responsive CAs such as this. But I don't think we should wait until such a document is prepared before taking action. On Friday, May 3, 2024 at 9:12:19 AM UTC-4 Wayne wrote: > Hi Andrew, > > I was looking at https://globaltrust.eu/certificate-policy/ and the > 'GLOBALTRUST > 2015 SERVER OV 2' entry which includes a list of test servers. I can see > there is a different list of test servers listed higher on the page, and > 2020 functions correctly, but 2015 has the same issue (from the 'Testserver > SSL-Zertifikate' heading): > > GLOBALTRUST 2015 gültiges Zertifikat > https://testok-2015-server-qualified-1.e-monitoring.at > GLOBALTRUST 2015 abgelaufenes Zertifikat > https://testold-2015-server-qualified-1.e-monitoring.at > GLOBALTRUST 2015 widerrufenes Zertifikat > https://testrevoked-2015-server-qualified-1.e-monitoring.at > > This seems to have been an abandoned practice by globaltrust and the > entries are inconsistent on whether they have any listed. > > - Wayne > On Friday, May 3, 2024 at 1:59:59 PM UTC+1 Andrew Ayer wrote: > >> Hi Wayne, >> >> On Fri, 3 May 2024 04:29:15 -0700 (PDT) >> Wayne wrote: >> >> > They don't list valid/expired/revoked domains for all of their >> > sub-CAs >> >> CAs are only required to provide one set of test websites per root, not >> for every sub-CA. >> >> > and even the ones they do are running on the same wildcard >> > covering: >> > >> > DNS:timestamp.globaltrust.eu >> > DNS:*.globaltrust.eu >> > DNS:*.globaltrust.at >> > DNS:*.globaltrust.info >> > DNS:*.a-cert.at >> > DNS:*.e-monitoring.at >> > >> > See: https://crt.sh/?id=9532011580 >> >> Where are you seeing this disclosed as a test website certificate? The >> disclosures that I see in the CCADB for GLOBALTRUST's Mozilla-trusted >> root are: >> >> https://testok-2020-server-qualified-ev-1.e-monitoring.at/ >> https://testold-2020-server-qualified-ev-1.e-monitoring.at/ >> https://testrevoked-2020-server-qualified-ev-1.e-monitoring.at/ >> >> Those all look correct to me. >> >> Regards, >> Andrew >> > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d8b87251-a772-4777-8597-3918931fb7b3n%40mozilla.org.
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Hi Andrew, I was looking at https://globaltrust.eu/certificate-policy/ and the 'GLOBALTRUST 2015 SERVER OV 2' entry which includes a list of test servers. I can see there is a different list of test servers listed higher on the page, and 2020 functions correctly, but 2015 has the same issue (from the 'Testserver SSL-Zertifikate' heading): GLOBALTRUST 2015 gültiges Zertifikat https://testok-2015-server-qualified-1.e-monitoring.at GLOBALTRUST 2015 abgelaufenes Zertifikat https://testold-2015-server-qualified-1.e-monitoring.at GLOBALTRUST 2015 widerrufenes Zertifikat https://testrevoked-2015-server-qualified-1.e-monitoring.at This seems to have been an abandoned practice by globaltrust and the entries are inconsistent on whether they have any listed. - Wayne On Friday, May 3, 2024 at 1:59:59 PM UTC+1 Andrew Ayer wrote: > Hi Wayne, > > On Fri, 3 May 2024 04:29:15 -0700 (PDT) > Wayne wrote: > > > They don't list valid/expired/revoked domains for all of their > > sub-CAs > > CAs are only required to provide one set of test websites per root, not > for every sub-CA. > > > and even the ones they do are running on the same wildcard > > covering: > > > > DNS:timestamp.globaltrust.eu > > DNS:*.globaltrust.eu > > DNS:*.globaltrust.at > > DNS:*.globaltrust.info > > DNS:*.a-cert.at > > DNS:*.e-monitoring.at > > > > See: https://crt.sh/?id=9532011580 > > Where are you seeing this disclosed as a test website certificate? The > disclosures that I see in the CCADB for GLOBALTRUST's Mozilla-trusted > root are: > > https://testok-2020-server-qualified-ev-1.e-monitoring.at/ > https://testold-2020-server-qualified-ev-1.e-monitoring.at/ > https://testrevoked-2020-server-qualified-ev-1.e-monitoring.at/ > > Those all look correct to me. > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/defabcd2-07dd-4e08-8dbf-68a59af82e0an%40mozilla.org.
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Hi Wayne, On Fri, 3 May 2024 04:29:15 -0700 (PDT) Wayne wrote: > They don't list valid/expired/revoked domains for all of their > sub-CAs CAs are only required to provide one set of test websites per root, not for every sub-CA. > and even the ones they do are running on the same wildcard > covering: > > DNS:timestamp.globaltrust.eu > DNS:*.globaltrust.eu > DNS:*.globaltrust.at > DNS:*.globaltrust.info > DNS:*.a-cert.at > DNS:*.e-monitoring.at > > See: https://crt.sh/?id=9532011580 Where are you seeing this disclosed as a test website certificate? The disclosures that I see in the CCADB for GLOBALTRUST's Mozilla-trusted root are: https://testok-2020-server-qualified-ev-1.e-monitoring.at/ https://testold-2020-server-qualified-ev-1.e-monitoring.at/ https://testrevoked-2020-server-qualified-ev-1.e-monitoring.at/ Those all look correct to me. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20240503085955.16fa3b1e538f7162143e98df%40andrewayer.name.
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Thanks for the clarification Rob. Looking at their page layout and their opting to do so convinced me of that, but I should have checked the BR specifically. - Wayne On Friday, May 3, 2024 at 1:47:52 PM UTC+1 Rob Stradling wrote: > Hi Wayne. On this particular point... > > > They don't list valid/expired/revoked domains for all of their sub-CAs > > Please note that the requirement in BR section 2.2 is as follows (emphasis > mine): > > *"The CA SHALL host test Web pages that allow Application Software > Suppliers to test their software* > *with Subscriber Certificates that chain up to **each publicly trusted > Root Certificate**. At a minimum,* > *the CA SHALL host separate Web pages using Subscriber Certificates that > are* > *i. valid,* > *ii. revoked, and* > *iii. expired."* > > https://crt.sh/test-websites shows that e-commerce monitoring GmbH is > currently compliant with this requirement. > > I don't think you'll find many CAs that operate a separate set of > valid/expired/revoked "test Web pages" for *each of their Sub-CAs*, given > that this is not actually required. > > -- > *From:* dev-secur...@mozilla.org on behalf of > Wayne > *Sent:* 03 May 2024 12:29 > *To:* dev-secur...@mozilla.org > *Cc:* Roman Fischer > > *Subject:* Re: Public Discussion of Acquisition of e-commerce monitoring > GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > Having glanced at e-commerce monitoring GmbH for all of 5 minutes I'd move > further and advocate for full removal: > https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c10 > > They don't list valid/expired/revoked domains for all of their sub-CAs, > and even the ones they do are running on the same wildcard covering: > > DNS:timestamp.globaltrust.eu > DNS:*.globaltrust.eu > DNS:*.globaltrust.at > DNS:*.globaltrust.info > DNS:*.a-cert.at > DNS:*.e-monitoring.at > > See: https://crt.sh/?id=9532011580 > > This is not a healthy CA in any manner. > > - Wayne > On Friday, May 3, 2024 at 12:05:54 PM UTC+1 Roman Fischer wrote: > > Dear Ben, > > > > I’m not sure I understand “A-SIT asserts that it is precluded from > joining the ACAB’c” correctly. Does A-SIT have any confirmation either from > their government sponsor or from ACAB’c that they can’t join? > > > > Rgds > Roman > > > > *From:* 'Ben Wilson' via dev-secur...@mozilla.org < > dev-secur...@mozilla.org> > *Sent:* Dienstag, 30. April 2024 23:15 > *To:* Amir Omidi (aaomidi) > *Cc:* dev-secur...@mozilla.org; regist...@e-monitoring.at < > regist...@e-monitoring.at> > *Subject:* Re: Public Discussion of Acquisition of e-commerce monitoring > GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH > > > > Hi Amir, > > Here is a quick update on this issue, while I continue working on a > summary of the discussion concerning the acquisition of e-commerce > monitoring by AUSTRIA CARD. > > Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) > has required that ETSI auditors be members of the Accredited Conformity > Assessment Bodies' Council (ACAB'c). One of the underlying reasons for > adopting this requirement was to ensure consistency in auditor > qualifications, guidance, and attestation letters. The ACAB’c membership > requirement continues to help improve the quality of ETSI audits. However, > the MRSP also allows Mozilla to temporarily waive the ACAB’c membership > requirement under certain circumstances. > > e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure > Information Technology Center – Austria). According to Herbert Leithold, > Executive Director of A-SIT, “A-SIT is a government-funded information > security organisation with formal duties that require strict neutrality and > independency.” For this reason, A-SIT asserts that it is precluded from > joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has > otherwise met auditor qualification requirements and its audits have > conformed to templates provided by the ACAB’c. > > We are considering whether to grant a temporary approval of A-SIT as an > exception to the ACAB’c membership requirement. Such temporary approval > would be subject to periodic re-evaluation, and likely it would eventually > be withdrawn. We sincerely appreciate everyone's contributions as they > facilitate our ability to make well-informed decisions. We kindly request > your
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Hi Wayne. On this particular point... > They don't list valid/expired/revoked domains for all of their sub-CAs Please note that the requirement in BR section 2.2 is as follows (emphasis mine): "The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are i. valid, ii. revoked, and iii. expired." https://crt.sh/test-websites shows that e-commerce monitoring GmbH is currently compliant with this requirement. I don't think you'll find many CAs that operate a separate set of valid/expired/revoked "test Web pages" for each of their Sub-CAs, given that this is not actually required. From: dev-security-policy@mozilla.org on behalf of Wayne Sent: 03 May 2024 12:29 To: dev-security-policy@mozilla.org Cc: Roman Fischer Subject: Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Having glanced at e-commerce monitoring GmbH for all of 5 minutes I'd move further and advocate for full removal: https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c10 They don't list valid/expired/revoked domains for all of their sub-CAs, and even the ones they do are running on the same wildcard covering: DNS:timestamp.globaltrust.eu DNS:*.globaltrust.eu DNS:*.globaltrust.at DNS:*.globaltrust.info DNS:*.a-cert.at DNS:*.e-monitoring.at See: https://crt.sh/?id=9532011580 This is not a healthy CA in any manner. - Wayne On Friday, May 3, 2024 at 12:05:54 PM UTC+1 Roman Fischer wrote: Dear Ben, I’m not sure I understand “A-SIT asserts that it is precluded from joining the ACAB’c” correctly. Does A-SIT have any confirmation either from their government sponsor or from ACAB’c that they can’t join? Rgds Roman From: 'Ben Wilson' via dev-secur...@mozilla.org Sent: Dienstag, 30. April 2024 23:15 To: Amir Omidi (aaomidi) Cc: dev-secur...@mozilla.org; regist...@e-monitoring.at Subject: Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH Hi Amir, Here is a quick update on this issue, while I continue working on a summary of the discussion concerning the acquisition of e-commerce monitoring by AUSTRIA CARD. Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) has required that ETSI auditors be members of the Accredited Conformity Assessment Bodies' Council (ACAB'c). One of the underlying reasons for adopting this requirement was to ensure consistency in auditor qualifications, guidance, and attestation letters. The ACAB’c membership requirement continues to help improve the quality of ETSI audits. However, the MRSP also allows Mozilla to temporarily waive the ACAB’c membership requirement under certain circumstances. e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure Information Technology Center – Austria). According to Herbert Leithold, Executive Director of A-SIT, “A-SIT is a government-funded information security organisation with formal duties that require strict neutrality and independency.” For this reason, A-SIT asserts that it is precluded from joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has otherwise met auditor qualification requirements and its audits have conformed to templates provided by the ACAB’c. We are considering whether to grant a temporary approval of A-SIT as an exception to the ACAB’c membership requirement. Such temporary approval would be subject to periodic re-evaluation, and likely it would eventually be withdrawn. We sincerely appreciate everyone's contributions as they facilitate our ability to make well-informed decisions. We kindly request your insightful perspectives and opinions. Thanks, Ben On Fri, Apr 26, 2024 at 12:09 PM Amir Omidi (aaomidi) wrote: Did you ever hear from them? On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: All, March 1 was the scheduled end of public discussion on this matter. However, I have one unresolved question that I have presented to the CA operator and its audit firm regarding ACAB'c membership (see MRSP section 3.2). As soon as I hear back on that question, I'll provide a summary of the entire discussion here. Thanks, Ben On Friday, February 23, 2024 at 7:36:13 AM UTC-7 regist...@e-monitoring.at wrote: Preface The only thing that changed is the ownership, and the ownership is represented by the new management. This only formal change has already been notified to the authorities and approved and registered. The rest remains unchanged. e-c
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Having glanced at e-commerce monitoring GmbH for all of 5 minutes I'd move further and advocate for full removal: https://bugzilla.mozilla.org/show_bug.cgi?id=1862004#c10 They don't list valid/expired/revoked domains for all of their sub-CAs, and even the ones they do are running on the same wildcard covering: DNS:timestamp.globaltrust.eu DNS:*.globaltrust.eu DNS:*.globaltrust.at DNS:*.globaltrust.info DNS:*.a-cert.at DNS:*.e-monitoring.at See: https://crt.sh/?id=9532011580 This is not a healthy CA in any manner. - Wayne On Friday, May 3, 2024 at 12:05:54 PM UTC+1 Roman Fischer wrote: > Dear Ben, > > > > I’m not sure I understand “A-SIT asserts that it is precluded from > joining the ACAB’c” correctly. Does A-SIT have any confirmation either from > their government sponsor or from ACAB’c that they can’t join? > > > > Rgds > Roman > > > > *From:* 'Ben Wilson' via dev-secur...@mozilla.org < > dev-secur...@mozilla.org> > *Sent:* Dienstag, 30. April 2024 23:15 > *To:* Amir Omidi (aaomidi) > *Cc:* dev-secur...@mozilla.org; regist...@e-monitoring.at < > regist...@e-monitoring.at> > *Subject:* Re: Public Discussion of Acquisition of e-commerce monitoring > GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH > > > > Hi Amir, > > Here is a quick update on this issue, while I continue working on a > summary of the discussion concerning the acquisition of e-commerce > monitoring by AUSTRIA CARD. > > Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) > has required that ETSI auditors be members of the Accredited Conformity > Assessment Bodies' Council (ACAB'c). One of the underlying reasons for > adopting this requirement was to ensure consistency in auditor > qualifications, guidance, and attestation letters. The ACAB’c membership > requirement continues to help improve the quality of ETSI audits. However, > the MRSP also allows Mozilla to temporarily waive the ACAB’c membership > requirement under certain circumstances. > > e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure > Information Technology Center – Austria). According to Herbert Leithold, > Executive Director of A-SIT, “A-SIT is a government-funded information > security organisation with formal duties that require strict neutrality and > independency.” For this reason, A-SIT asserts that it is precluded from > joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has > otherwise met auditor qualification requirements and its audits have > conformed to templates provided by the ACAB’c. > > We are considering whether to grant a temporary approval of A-SIT as an > exception to the ACAB’c membership requirement. Such temporary approval > would be subject to periodic re-evaluation, and likely it would eventually > be withdrawn. We sincerely appreciate everyone's contributions as they > facilitate our ability to make well-informed decisions. We kindly request > your insightful perspectives and opinions. > > Thanks, > > Ben > > > > On Fri, Apr 26, 2024 at 12:09 PM Amir Omidi (aaomidi) > wrote: > > Did you ever hear from them? > > On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: > > All, > > March 1 was the scheduled end of public discussion on this matter. > However, I have one unresolved question that I have presented to the CA > operator and its audit firm regarding ACAB'c membership (see MRSP section > 3.2). As soon as I hear back on that question, I'll provide a summary of > the entire discussion here. > > Thanks, > > Ben > > > > On Friday, February 23, 2024 at 7:36:13 AM UTC-7 regist...@e-monitoring.at > wrote: > > *Preface* > > The only thing that changed is the ownership, and the ownership is > represented by the new management. This only formal change has already been > notified to the authorities and approved and registered. The rest remains > unchanged. > > e-commerce monitoring GmbH fulfills different trust service requirements > from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, > remains a member of the European Trust List (EUTL) as before and is > permanently monitored by the Austrian Supervisory Body (RTR/TKK) and > regularly assessed by a Conformity Assessment Body. > > The management has changed from Hans G. Zeger to Emmanouil Kontos and > Markus Kirchmayr. The takeover of the company includes the taking over of > the existing, trained and trusted staff which results in no changes except > top management. e-commerce monitoring GmbH continues to provide > certification and trust services according to the respective policies. > > It is in the int
RE: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Dear Ben, I’m not sure I understand “A-SIT asserts that it is precluded from joining the ACAB’c” correctly. Does A-SIT have any confirmation either from their government sponsor or from ACAB’c that they can’t join? Rgds Roman From: 'Ben Wilson' via dev-security-policy@mozilla.org Sent: Dienstag, 30. April 2024 23:15 To: Amir Omidi (aaomidi) Cc: dev-security-policy@mozilla.org; regist...@e-monitoring.at Subject: Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH Hi Amir, Here is a quick update on this issue, while I continue working on a summary of the discussion concerning the acquisition of e-commerce monitoring by AUSTRIA CARD. Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) has required that ETSI auditors be members of the Accredited Conformity Assessment Bodies' Council (ACAB'c). One of the underlying reasons for adopting this requirement was to ensure consistency in auditor qualifications, guidance, and attestation letters. The ACAB’c membership requirement continues to help improve the quality of ETSI audits. However, the MRSP also allows Mozilla to temporarily waive the ACAB’c membership requirement under certain circumstances. e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure Information Technology Center – Austria). According to Herbert Leithold, Executive Director of A-SIT, “A-SIT is a government-funded information security organisation with formal duties that require strict neutrality and independency.” For this reason, A-SIT asserts that it is precluded from joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has otherwise met auditor qualification requirements and its audits have conformed to templates provided by the ACAB’c. We are considering whether to grant a temporary approval of A-SIT as an exception to the ACAB’c membership requirement. Such temporary approval would be subject to periodic re-evaluation, and likely it would eventually be withdrawn. We sincerely appreciate everyone's contributions as they facilitate our ability to make well-informed decisions. We kindly request your insightful perspectives and opinions. Thanks, Ben On Fri, Apr 26, 2024 at 12:09 PM Amir Omidi (aaomidi) mailto:a...@aaomidi.com>> wrote: Did you ever hear from them? On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: All, March 1 was the scheduled end of public discussion on this matter. However, I have one unresolved question that I have presented to the CA operator and its audit firm regarding ACAB'c membership (see MRSP section 3.2). As soon as I hear back on that question, I'll provide a summary of the entire discussion here. Thanks, Ben On Friday, February 23, 2024 at 7:36:13 AM UTC-7 regist...@e-monitoring.at<mailto:regist...@e-monitoring.at> wrote: Preface The only thing that changed is the ownership, and the ownership is represented by the new management. This only formal change has already been notified to the authorities and approved and registered. The rest remains unchanged. e-commerce monitoring GmbH fulfills different trust service requirements from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, remains a member of the European Trust List (EUTL) as before and is permanently monitored by the Austrian Supervisory Body (RTR/TKK) and regularly assessed by a Conformity Assessment Body. The management has changed from Hans G. Zeger to Emmanouil Kontos and Markus Kirchmayr. The takeover of the company includes the taking over of the existing, trained and trusted staff which results in no changes except top management. e-commerce monitoring GmbH continues to provide certification and trust services according to the respective policies. It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully comply with the Browser/OS Root Store Policies. Ownership and Governance The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD HOLDINGS AG). AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries in Europe and the USA (please find more details in the prospectus on AUSTRIACARD´s website (https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf) Emmanouil Kontos is the Managing Director of the company and authorized to represent the company solely. Markus Kirchmayr is authorized to represent the company jointly with Emmanouil Kontos. Both will not take any trusted roles in the CA operations.
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Considering this is open: https://bugzilla.mozilla.org/show_bug.cgi?id=1893546 I do think that such a temporary grant does not make sense. e-commerce has so far not showed themselves to be a good steward of public trust. What are the implications of e-commerce being distrusted by Mozilla, especially since they can't get their auditors in order? The requirement for the auditors being part of ACAB was made nearly 2 years ago. According to crt.sh, e-commerce has ~150 active certificates. I'm not entirely sure why an exception should be made for them & the auditor they have picked? Thanks, Amir On Tuesday, April 30, 2024 at 5:15:41 PM UTC-4 Ben Wilson wrote: > Hi Amir, > > Here is a quick update on this issue, while I continue working on a > summary of the discussion concerning the acquisition of e-commerce > monitoring by AUSTRIA CARD. > > Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) > has required that ETSI auditors be members of the Accredited Conformity > Assessment Bodies' Council (ACAB'c). One of the underlying reasons for > adopting this requirement was to ensure consistency in auditor > qualifications, guidance, and attestation letters. The ACAB’c membership > requirement continues to help improve the quality of ETSI audits. However, > the MRSP also allows Mozilla to temporarily waive the ACAB’c membership > requirement under certain circumstances. > > e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure > Information Technology Center – Austria). According to Herbert Leithold, > Executive Director of A-SIT, “A-SIT is a government-funded information > security organisation with formal duties that require strict neutrality and > independency.” For this reason, A-SIT asserts that it is precluded from > joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has > otherwise met auditor qualification requirements and its audits have > conformed to templates provided by the ACAB’c. > > We are considering whether to grant a temporary approval of A-SIT as an > exception to the ACAB’c membership requirement. Such temporary approval > would be subject to periodic re-evaluation, and likely it would eventually > be withdrawn. We sincerely appreciate everyone's contributions as they > facilitate our ability to make well-informed decisions. We kindly request > your insightful perspectives and opinions. > > Thanks, > > Ben > > > On Fri, Apr 26, 2024 at 12:09 PM Amir Omidi (aaomidi) > wrote: > >> Did you ever hear from them? >> >> On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: >> >>> All, >>> March 1 was the scheduled end of public discussion on this matter. >>> However, I have one unresolved question that I have presented to the CA >>> operator and its audit firm regarding ACAB'c membership (see MRSP section >>> 3.2). As soon as I hear back on that question, I'll provide a summary of >>> the entire discussion here. >>> Thanks, >>> Ben >>> >>> On Friday, February 23, 2024 at 7:36:13 AM UTC-7 >>> regist...@e-monitoring.at wrote: >>> *Preface* The only thing that changed is the ownership, and the ownership is represented by the new management. This only formal change has already been notified to the authorities and approved and registered. The rest remains unchanged. e-commerce monitoring GmbH fulfills different trust service requirements from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, remains a member of the European Trust List (EUTL) as before and is permanently monitored by the Austrian Supervisory Body (RTR/TKK) and regularly assessed by a Conformity Assessment Body. The management has changed from Hans G. Zeger to Emmanouil Kontos and Markus Kirchmayr. The takeover of the company includes the taking over of the existing, trained and trusted staff which results in no changes except top management. e-commerce monitoring GmbH continues to provide certification and trust services according to the respective policies. It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully comply with the Browser/OS Root Store Policies. *Ownership and Governance* The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD HOLDINGS AG). AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries in Europe and the USA (please find more details in the prospectus on AUSTRIACARD´s
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Hi Amir, Here is a quick update on this issue, while I continue working on a summary of the discussion concerning the acquisition of e-commerce monitoring by AUSTRIA CARD. Since June 1, 2022, section 3.2 of the Mozilla Root Store Policy (MRSP) has required that ETSI auditors be members of the Accredited Conformity Assessment Bodies' Council (ACAB'c). One of the underlying reasons for adopting this requirement was to ensure consistency in auditor qualifications, guidance, and attestation letters. The ACAB’c membership requirement continues to help improve the quality of ETSI audits. However, the MRSP also allows Mozilla to temporarily waive the ACAB’c membership requirement under certain circumstances. e-commerce monitoring’s ETSI audit is currently performed by A-SIT (Secure Information Technology Center – Austria). According to Herbert Leithold, Executive Director of A-SIT, “A-SIT is a government-funded information security organisation with formal duties that require strict neutrality and independency.” For this reason, A-SIT asserts that it is precluded from joining the ACAB’c. While A-SIT is currently not a member of ACAB'c, it has otherwise met auditor qualification requirements and its audits have conformed to templates provided by the ACAB’c. We are considering whether to grant a temporary approval of A-SIT as an exception to the ACAB’c membership requirement. Such temporary approval would be subject to periodic re-evaluation, and likely it would eventually be withdrawn. We sincerely appreciate everyone's contributions as they facilitate our ability to make well-informed decisions. We kindly request your insightful perspectives and opinions. Thanks, Ben On Fri, Apr 26, 2024 at 12:09 PM Amir Omidi (aaomidi) wrote: > Did you ever hear from them? > > On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: > >> All, >> March 1 was the scheduled end of public discussion on this matter. >> However, I have one unresolved question that I have presented to the CA >> operator and its audit firm regarding ACAB'c membership (see MRSP section >> 3.2). As soon as I hear back on that question, I'll provide a summary of >> the entire discussion here. >> Thanks, >> Ben >> >> On Friday, February 23, 2024 at 7:36:13 AM UTC-7 >> regist...@e-monitoring.at wrote: >> >>> *Preface* >>> >>> The only thing that changed is the ownership, and the ownership is >>> represented by the new management. This only formal change has already been >>> notified to the authorities and approved and registered. The rest remains >>> unchanged. >>> >>> e-commerce monitoring GmbH fulfills different trust service requirements >>> from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, >>> remains a member of the European Trust List (EUTL) as before and is >>> permanently monitored by the Austrian Supervisory Body (RTR/TKK) and >>> regularly assessed by a Conformity Assessment Body. >>> >>> The management has changed from Hans G. Zeger to Emmanouil Kontos and >>> Markus Kirchmayr. The takeover of the company includes the taking over of >>> the existing, trained and trusted staff which results in no changes except >>> top management. e-commerce monitoring GmbH continues to provide >>> certification and trust services according to the respective policies. >>> >>> It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme >>> Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully >>> comply with the Browser/OS Root Store Policies. >>> >>> >>> *Ownership and Governance* >>> >>> The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of >>> e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme >>> Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD >>> HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und >>> Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD >>> HOLDINGS AG). >>> >>> AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries >>> in Europe and the USA (please find more details in the prospectus on >>> AUSTRIACARD´s website ( >>> https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf >>> ) >>> >>> Emmanouil Kontos is the Managing Director of the company and authorized >>> to represent the company solely. Markus Kirchmayr is authorized to >>> represent the company jointly with Emmanouil Kontos. Both will not take any >>> trusted roles in the CA operations. >>> >>> e-commerce monitoring GmbH is maintaining the Key Management as well as >>> the respective roles of Key Manager and Key Custodian through the existing, >>> trained and trusted staff >>> >>> Major decisions regarding finance and management topics are made by the >>> Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr >>> Major decisions regarding operative topics are made by the Managing >>> Director Emmanouil Kontos in
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Did you ever hear from them? On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: > All, > March 1 was the scheduled end of public discussion on this matter. > However, I have one unresolved question that I have presented to the CA > operator and its audit firm regarding ACAB'c membership (see MRSP section > 3.2). As soon as I hear back on that question, I'll provide a summary of > the entire discussion here. > Thanks, > Ben > > On Friday, February 23, 2024 at 7:36:13 AM UTC-7 regist...@e-monitoring.at > wrote: > >> *Preface* >> >> The only thing that changed is the ownership, and the ownership is >> represented by the new management. This only formal change has already been >> notified to the authorities and approved and registered. The rest remains >> unchanged. >> >> e-commerce monitoring GmbH fulfills different trust service requirements >> from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, >> remains a member of the European Trust List (EUTL) as before and is >> permanently monitored by the Austrian Supervisory Body (RTR/TKK) and >> regularly assessed by a Conformity Assessment Body. >> >> The management has changed from Hans G. Zeger to Emmanouil Kontos and >> Markus Kirchmayr. The takeover of the company includes the taking over of >> the existing, trained and trusted staff which results in no changes except >> top management. e-commerce monitoring GmbH continues to provide >> certification and trust services according to the respective policies. >> >> It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme >> Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully >> comply with the Browser/OS Root Store Policies. >> >> >> *Ownership and Governance* >> >> The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of >> e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme >> Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD >> HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und >> Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD >> HOLDINGS AG). >> >> AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries >> in Europe and the USA (please find more details in the prospectus on >> AUSTRIACARD´s website ( >> https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf >> ) >> >> Emmanouil Kontos is the Managing Director of the company and authorized >> to represent the company solely. Markus Kirchmayr is authorized to >> represent the company jointly with Emmanouil Kontos. Both will not take any >> trusted roles in the CA operations. >> >> e-commerce monitoring GmbH is maintaining the Key Management as well as >> the respective roles of Key Manager and Key Custodian through the existing, >> trained and trusted staff >> >> Major decisions regarding finance and management topics are made by the >> Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr >> Major decisions regarding operative topics are made by the Managing >> Director Emmanouil Kontos in consultation with the key manager. The >> decision making structure can be defined as follows: >> >> · Define the problem or decision that needs to be madeGather >> information and options >> >> · Analyze the information and options >> >> · Select the best option >> >> · Plan for implementation >> >> · Implement the plan >> >> >> *Investment and Budget* >> >> e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA >> CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is >> classified as “große Kapitalgesellschaft” (large corporation) and therefore >> needs to comply with all regulations of the Austrian GmbHG (limited >> liabilities company Act) and UGB (Commercial Code). >> >> In addition e-commerce monitoring GmbH is therefore part of group of >> companies of AUSTRIACARD HOLDINGS AG, which is also classified as “große >> Kapitalgesellschaft” (large corporation) and in addition is a listed >> company on stock exchange in Vienna and Athens. Therefore AUSTRIACARD >> HOLDINGS AG needs to comply with all regulations of Austrian Aktiengesetz >> (Joint Stock Corporation Act) and Börsegesetz (Stock Exchange Act). >> >> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H, with >> over 40 years of experience in providing high security solutions, is >> maintaining an Information Security Management System as part of the ISO >> 27001 framework which is certified and audited on a regular basis. >> Furthermore Austria Card has established security policies and process to >> comply and be certified according other security standards like ISO 14298 >> as well as Payment Card Industry standards PCI CP, PCI DSS and a >> qualification management system according to ISO 9001:2015. >> >> In the
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
All, March 1 was the scheduled end of public discussion on this matter. However, I have one unresolved question that I have presented to the CA operator and its audit firm regarding ACAB'c membership (see MRSP section 3.2). As soon as I hear back on that question, I'll provide a summary of the entire discussion here. Thanks, Ben On Friday, February 23, 2024 at 7:36:13 AM UTC-7 regist...@e-monitoring.at wrote: > *Preface* > > The only thing that changed is the ownership, and the ownership is > represented by the new management. This only formal change has already been > notified to the authorities and approved and registered. The rest remains > unchanged. > > e-commerce monitoring GmbH fulfills different trust service requirements > from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, > remains a member of the European Trust List (EUTL) as before and is > permanently monitored by the Austrian Supervisory Body (RTR/TKK) and > regularly assessed by a Conformity Assessment Body. > > The management has changed from Hans G. Zeger to Emmanouil Kontos and > Markus Kirchmayr. The takeover of the company includes the taking over of > the existing, trained and trusted staff which results in no changes except > top management. e-commerce monitoring GmbH continues to provide > certification and trust services according to the respective policies. > > It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme > Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully > comply with the Browser/OS Root Store Policies. > > > *Ownership and Governance* > > The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of > e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme > Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD > HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und > Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD > HOLDINGS AG). > > AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries > in Europe and the USA (please find more details in the prospectus on > AUSTRIACARD´s website ( > https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf > ) > > Emmanouil Kontos is the Managing Director of the company and authorized to > represent the company solely. Markus Kirchmayr is authorized to represent > the company jointly with Emmanouil Kontos. Both will not take any trusted > roles in the CA operations. > > e-commerce monitoring GmbH is maintaining the Key Management as well as > the respective roles of Key Manager and Key Custodian through the existing, > trained and trusted staff > > Major decisions regarding finance and management topics are made by the > Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr > Major decisions regarding operative topics are made by the Managing > Director Emmanouil Kontos in consultation with the key manager. The > decision making structure can be defined as follows: > > · Define the problem or decision that needs to be madeGather > information and options > > · Analyze the information and options > > · Select the best option > > · Plan for implementation > > · Implement the plan > > > *Investment and Budget* > > e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA > CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is > classified as “große Kapitalgesellschaft” (large corporation) and therefore > needs to comply with all regulations of the Austrian GmbHG (limited > liabilities company Act) and UGB (Commercial Code). > > In addition e-commerce monitoring GmbH is therefore part of group of > companies of AUSTRIACARD HOLDINGS AG, which is also classified as “große > Kapitalgesellschaft” (large corporation) and in addition is a listed > company on stock exchange in Vienna and Athens. Therefore AUSTRIACARD > HOLDINGS AG needs to comply with all regulations of Austrian Aktiengesetz > (Joint Stock Corporation Act) and Börsegesetz (Stock Exchange Act). > > AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H, with > over 40 years of experience in providing high security solutions, is > maintaining an Information Security Management System as part of the ISO > 27001 framework which is certified and audited on a regular basis. > Furthermore Austria Card has established security policies and process to > comply and be certified according other security standards like ISO 14298 > as well as Payment Card Industry standards PCI CP, PCI DSS and a > qualification management system according to ISO 9001:2015. > > In the interest of fair competition we prefer not to disclose any > strategic, budget or any other internal confidential information. > > > *Community Engagement* > > e-commerce monitoring GmbH is committed to serving a
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
*Preface* The only thing that changed is the ownership, and the ownership is represented by the new management. This only formal change has already been notified to the authorities and approved and registered. The rest remains unchanged. e-commerce monitoring GmbH fulfills different trust service requirements from ISO/IEC, eIDAS / ETSI, CA/Browser Forum to Root Program requirements, remains a member of the European Trust List (EUTL) as before and is permanently monitored by the Austrian Supervisory Body (RTR/TKK) and regularly assessed by a Conformity Assessment Body. The management has changed from Hans G. Zeger to Emmanouil Kontos and Markus Kirchmayr. The takeover of the company includes the taking over of the existing, trained and trusted staff which results in no changes except top management. e-commerce monitoring GmbH continues to provide certification and trust services according to the respective policies. It is in the interest of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. that e-commerce monitoring GmbH continues to fully comply with the Browser/OS Root Store Policies. *Ownership and Governance* The ultimate beneficial owner is Nikolaos Lykos. The new shareholder of e-commerce monitoring GmbH is AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., Nikolaos Lykos owns 77.57 % of shares in AUSTRIACARD HOLDINGS AG, which is the parent company of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H. (it is owned 100% by AUSTRIACARD HOLDINGS AG). AUSTRIACARD HOLDINGS AG is a publically listed company with subsidiaries in Europe and the USA (please find more details in the prospectus on AUSTRIACARD´s website ( https://www.austriacard.com/wp-content/uploads/2023/01/AustriaCard_Prospectus_24.01.2023_FINAL.PUBLICATIONpdf.pdf ) Emmanouil Kontos is the Managing Director of the company and authorized to represent the company solely. Markus Kirchmayr is authorized to represent the company jointly with Emmanouil Kontos. Both will not take any trusted roles in the CA operations. e-commerce monitoring GmbH is maintaining the Key Management as well as the respective roles of Key Manager and Key Custodian through the existing, trained and trusted staff Major decisions regarding finance and management topics are made by the Managing Director Emmanouil Kontos in consultation with Markus Kirchmayr Major decisions regarding operative topics are made by the Managing Director Emmanouil Kontos in consultation with the key manager. The decision making structure can be defined as follows: · Define the problem or decision that needs to be madeGather information and options · Analyze the information and options · Select the best option · Plan for implementation · Implement the plan *Investment and Budget* e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is classified as “große Kapitalgesellschaft” (large corporation) and therefore needs to comply with all regulations of the Austrian GmbHG (limited liabilities company Act) and UGB (Commercial Code). In addition e-commerce monitoring GmbH is therefore part of group of companies of AUSTRIACARD HOLDINGS AG, which is also classified as “große Kapitalgesellschaft” (large corporation) and in addition is a listed company on stock exchange in Vienna and Athens. Therefore AUSTRIACARD HOLDINGS AG needs to comply with all regulations of Austrian Aktiengesetz (Joint Stock Corporation Act) and Börsegesetz (Stock Exchange Act). AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H, with over 40 years of experience in providing high security solutions, is maintaining an Information Security Management System as part of the ISO 27001 framework which is certified and audited on a regular basis. Furthermore Austria Card has established security policies and process to comply and be certified according other security standards like ISO 14298 as well as Payment Card Industry standards PCI CP, PCI DSS and a qualification management system according to ISO 9001:2015. In the interest of fair competition we prefer not to disclose any strategic, budget or any other internal confidential information. *Community Engagement* e-commerce monitoring GmbH is committed to serving a diverse range of communities, both locally and globally. Further, we strive to create products and services that meet the needs of various demographics. Additionally, we prioritize inclusivity and accessibility, ensuring that our offerings are accessible to individuals from all walks of life. e-commerce monitoring GmbH is actively monitoring various legal information databases, other sources like Certification Authorities and Trust Service Providers portals by ETSI, the websites of CA Browser Forum and root store operators as well as participation and exchange of information
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Dear All,
e-commerce monitoring GmbH is now 100% subsidiary of AUSTRIA
CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H., which is
classified as “große Kapitalgesellschaft” (large corporation) and therefore
needs to comply with all regulations of the Austrian GmbHG (limited
liabilities company Act) and UGB (Commercial Code).
e-commerce monitoring GmbH was taken over as a fully functional and
independent entity inside the AUSTRIA CARD group of companies. The
certified policies, processes and commitments of e-commerce monitoring GmbH
continue to apply.
The takeover of the company also includes the taking over of the
established staff which results in no changes except top management and
e-commerce monitoring GmbH will continue to adhere and operate according to
the respective policies.
Best regards,
Daniel
On Wednesday, February 7, 2024 at 12:22:36 AM UTC+1 Ben Wilson wrote:
> Hi Aaron,
>
> On Tue, Feb 6, 2024 at 3:00 PM Aaron Gable wrote:
>
>> e-commerce monitoring GmbH currently has multiple open bugzilla tickets
>> which have not had any updates from their staff in multiple months:
>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1815534
>> - https://bugzilla.mozilla.org/show_bug.cgi?id=1862004
>>
>
> Correct - the questions raised by these incidents still need to be
> answered.
>
>
>> Does the behavior of the CA being acquired factor into decisions like
>> this, or just the behavior of the acquiring entity?
>>
>
> The behavior of the entity being acquired and the capabilities and history
> of the acquiring company are relevant, going back for an unspecified period
> of time. (Factors to be considered in deciding how far to go back include
> the nature and severity of any non-compliance and the degree to which any
> incidents reveal persistent, systemic problems.)
>
>
>> If a distrust conversation were to arise in the future, how do root
>> programs ensure that bugs filed under previous corporate names are still
>> included in the analysis?
>>
>
> We have not experienced a lot of M/name-change activity recently. I
> believe the Mozilla Community has sufficient continuity, institutional
> memory, and community-based knowledge about the history of CA operators.
> So, I think this concern can be handled when needed with comments from
> community members, and changes in the names of CA operators should not
> require that we create a new tracking solution. (If incidents are
> sufficiently recent or still have relevance, then we could update the
> Bugzilla bugs "Summaries" by replacing the name of the previous operator
> with the name of the new entity when there is a name change or CA operator
> replacement.)
>
> Ben
>
>
>>
>> Thanks,
>> Aaron
>>
>> On Fri, Feb 2, 2024 at 5:25 PM Ben Wilson wrote:
>>
>>> Dear Suchan,
>>> You make a valid point. However, in this case, I wasn't sure how other
>>> root stores would be handling this. They may have their own processes.
>>> Also, the distribution on this list is almost 3x greater than on the CCADB
>>> public list, so I decided to post the discussion here.
>>> If the other root stores want to have a public discussion of this
>>> acquisition, then we can start a discussion on CCADB Public, too.
>>> Sincerely yours,
>>> Ben
>>>
>>> On Fri, Feb 2, 2024 at 5:53 PM Suchan Seo wrote:
>>>
While not have knowledge to comment about acquire itself, doesn't this
more fit to ccadb mailing list? I thought root store policy about
individual root was moved to there
2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성:
> All,
>
> Recently we were advised that e-commerce monitoring GmbH is being
> acquired by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH.
>
> e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is
> included in the Mozilla root store. They have advised us of the following:
>
> There are no changes to the operation of the CA and RA functions.
>
> Changes to the corporate structure:
>
> - New shareholder:
> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H.
> registered under the number FN 98272v commercial court Vienna
> Lamezanstraße 4-8
> 1230 Vienna, Austria
> https://www.austriacard.com/
>
> - New Management
> new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos
> new: Attorney ("Prokurist") Mr. Markus Kirchmayr
> old: CEO Hans Zeger
>
> - Registered headquarter
> new: Handelskai 388/621, 1020 Vienna, Austria
> old: Redtenbachergasse 20, 1160 Vienna, Austria
>
> According to section 8.1 of the Mozilla Root Store Policy, “If the
> receiving or acquiring company is new to the Mozilla root store, it MUST
> demonstrate compliance with the entirety of this policy. There MUST be a
> public discussion regarding its admittance to the root store. If Mozilla
> reaches a positive conclusion after public discussion, then the
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Hi Aaron,
On Tue, Feb 6, 2024 at 3:00 PM Aaron Gable wrote:
> e-commerce monitoring GmbH currently has multiple open bugzilla tickets
> which have not had any updates from their staff in multiple months:
> - https://bugzilla.mozilla.org/show_bug.cgi?id=1815534
> - https://bugzilla.mozilla.org/show_bug.cgi?id=1862004
>
Correct - the questions raised by these incidents still need to be answered.
> Does the behavior of the CA being acquired factor into decisions like
> this, or just the behavior of the acquiring entity?
>
The behavior of the entity being acquired and the capabilities and history
of the acquiring company are relevant, going back for an unspecified period
of time. (Factors to be considered in deciding how far to go back include
the nature and severity of any non-compliance and the degree to which any
incidents reveal persistent, systemic problems.)
> If a distrust conversation were to arise in the future, how do root
> programs ensure that bugs filed under previous corporate names are still
> included in the analysis?
>
We have not experienced a lot of M/name-change activity recently. I
believe the Mozilla Community has sufficient continuity, institutional
memory, and community-based knowledge about the history of CA operators.
So, I think this concern can be handled when needed with comments from
community members, and changes in the names of CA operators should not
require that we create a new tracking solution. (If incidents are
sufficiently recent or still have relevance, then we could update the
Bugzilla bugs "Summaries" by replacing the name of the previous operator
with the name of the new entity when there is a name change or CA operator
replacement.)
Ben
>
> Thanks,
> Aaron
>
> On Fri, Feb 2, 2024 at 5:25 PM Ben Wilson wrote:
>
>> Dear Suchan,
>> You make a valid point. However, in this case, I wasn't sure how other
>> root stores would be handling this. They may have their own processes.
>> Also, the distribution on this list is almost 3x greater than on the CCADB
>> public list, so I decided to post the discussion here.
>> If the other root stores want to have a public discussion of this
>> acquisition, then we can start a discussion on CCADB Public, too.
>> Sincerely yours,
>> Ben
>>
>> On Fri, Feb 2, 2024 at 5:53 PM Suchan Seo wrote:
>>
>>> While not have knowledge to comment about acquire itself, doesn't this
>>> more fit to ccadb mailing list? I thought root store policy about
>>> individual root was moved to there
>>> 2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성:
>>>
All,
Recently we were advised that e-commerce monitoring GmbH is being
acquired by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH.
e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is
included in the Mozilla root store. They have advised us of the following:
There are no changes to the operation of the CA and RA functions.
Changes to the corporate structure:
- New shareholder:
AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H.
registered under the number FN 98272v commercial court Vienna
Lamezanstraße 4-8
1230 Vienna, Austria
https://www.austriacard.com/
- New Management
new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos
new: Attorney ("Prokurist") Mr. Markus Kirchmayr
old: CEO Hans Zeger
- Registered headquarter
new: Handelskai 388/621, 1020 Vienna, Austria
old: Redtenbachergasse 20, 1160 Vienna, Austria
According to section 8.1 of the Mozilla Root Store Policy, “If the
receiving or acquiring company is new to the Mozilla root store, it MUST
demonstrate compliance with the entirety of this policy. There MUST be a
public discussion regarding its admittance to the root store. If Mozilla
reaches a positive conclusion after public discussion, then the affected
certificate(s) MAY remain in the root store.”
By this email, I am initiating a four-week public discussion period,
scheduled to close on Friday, 1-March-2024, to allow for at least three
full weeks of public discussion. The first week (Feb. 5 – 9) is intended to
give the acquiring company time to address the following topics:
·Compliance with the Mozilla Root Store Policy
·Ownership and governance
·Investment and budget for CA operations, risk management, and
compliance
·Community engagement and involvement in industry groups
·Employee expertise and continuity
·Operational design and ongoing GRC management
·Auditors and auditing
Thanks,
Ben Wilson
Mozilla Root Store Program
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "dev-security-policy@mozilla.org" group.
>> To unsubscribe from this group and stop receiving
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
e-commerce monitoring GmbH currently has multiple open bugzilla tickets
which have not had any updates from their staff in multiple months:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1815534
- https://bugzilla.mozilla.org/show_bug.cgi?id=1862004
Does the behavior of the CA being acquired factor into decisions like this,
or just the behavior of the acquiring entity? If a distrust conversation
were to arise in the future, how do root programs ensure that bugs filed
under previous corporate names are still included in the analysis?
Thanks,
Aaron
On Fri, Feb 2, 2024 at 5:25 PM Ben Wilson wrote:
> Dear Suchan,
> You make a valid point. However, in this case, I wasn't sure how other
> root stores would be handling this. They may have their own processes.
> Also, the distribution on this list is almost 3x greater than on the CCADB
> public list, so I decided to post the discussion here.
> If the other root stores want to have a public discussion of this
> acquisition, then we can start a discussion on CCADB Public, too.
> Sincerely yours,
> Ben
>
> On Fri, Feb 2, 2024 at 5:53 PM Suchan Seo wrote:
>
>> While not have knowledge to comment about acquire itself, doesn't this
>> more fit to ccadb mailing list? I thought root store policy about
>> individual root was moved to there
>> 2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성:
>>
>>> All,
>>>
>>> Recently we were advised that e-commerce monitoring GmbH is being
>>> acquired by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH.
>>>
>>> e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is
>>> included in the Mozilla root store. They have advised us of the following:
>>>
>>> There are no changes to the operation of the CA and RA functions.
>>>
>>> Changes to the corporate structure:
>>>
>>> - New shareholder:
>>> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H.
>>> registered under the number FN 98272v commercial court Vienna
>>> Lamezanstraße 4-8
>>> 1230 Vienna, Austria
>>> https://www.austriacard.com/
>>>
>>> - New Management
>>> new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos
>>> new: Attorney ("Prokurist") Mr. Markus Kirchmayr
>>> old: CEO Hans Zeger
>>>
>>> - Registered headquarter
>>> new: Handelskai 388/621, 1020 Vienna, Austria
>>> old: Redtenbachergasse 20, 1160 Vienna, Austria
>>>
>>> According to section 8.1 of the Mozilla Root Store Policy, “If the
>>> receiving or acquiring company is new to the Mozilla root store, it MUST
>>> demonstrate compliance with the entirety of this policy. There MUST be a
>>> public discussion regarding its admittance to the root store. If Mozilla
>>> reaches a positive conclusion after public discussion, then the affected
>>> certificate(s) MAY remain in the root store.”
>>>
>>> By this email, I am initiating a four-week public discussion period,
>>> scheduled to close on Friday, 1-March-2024, to allow for at least three
>>> full weeks of public discussion. The first week (Feb. 5 – 9) is intended to
>>> give the acquiring company time to address the following topics:
>>>
>>> ·Compliance with the Mozilla Root Store Policy
>>>
>>> ·Ownership and governance
>>>
>>> ·Investment and budget for CA operations, risk management, and
>>> compliance
>>>
>>> ·Community engagement and involvement in industry groups
>>>
>>> ·Employee expertise and continuity
>>>
>>> ·Operational design and ongoing GRC management
>>>
>>> ·Auditors and auditing
>>>
>>> Thanks,
>>>
>>> Ben Wilson
>>>
>>> Mozilla Root Store Program
>>>
>> --
> You received this message because you are subscribed to the Google Groups "
> dev-security-policy@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dev-security-policy+unsubscr...@mozilla.org.
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com
>
> .
>
--
You received this message because you are subscribed to the Google Groups
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErc_Bn1QEYChxapnDx92ARc26Y1k6%2BS8ULuHJOJu9yNRxw%40mail.gmail.com.
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
Dear Suchan,
You make a valid point. However, in this case, I wasn't sure how other root
stores would be handling this. They may have their own processes. Also, the
distribution on this list is almost 3x greater than on the CCADB public
list, so I decided to post the discussion here.
If the other root stores want to have a public discussion of this
acquisition, then we can start a discussion on CCADB Public, too.
Sincerely yours,
Ben
On Fri, Feb 2, 2024 at 5:53 PM Suchan Seo wrote:
> While not have knowledge to comment about acquire itself, doesn't this
> more fit to ccadb mailing list? I thought root store policy about
> individual root was moved to there
> 2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성:
>
>> All,
>>
>> Recently we were advised that e-commerce monitoring GmbH is being
>> acquired by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH.
>>
>> e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is
>> included in the Mozilla root store. They have advised us of the following:
>>
>> There are no changes to the operation of the CA and RA functions.
>>
>> Changes to the corporate structure:
>>
>> - New shareholder:
>> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H.
>> registered under the number FN 98272v commercial court Vienna
>> Lamezanstraße 4-8
>> 1230 Vienna, Austria
>> https://www.austriacard.com/
>>
>> - New Management
>> new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos
>> new: Attorney ("Prokurist") Mr. Markus Kirchmayr
>> old: CEO Hans Zeger
>>
>> - Registered headquarter
>> new: Handelskai 388/621, 1020 Vienna, Austria
>> old: Redtenbachergasse 20, 1160 Vienna, Austria
>>
>> According to section 8.1 of the Mozilla Root Store Policy, “If the
>> receiving or acquiring company is new to the Mozilla root store, it MUST
>> demonstrate compliance with the entirety of this policy. There MUST be a
>> public discussion regarding its admittance to the root store. If Mozilla
>> reaches a positive conclusion after public discussion, then the affected
>> certificate(s) MAY remain in the root store.”
>>
>> By this email, I am initiating a four-week public discussion period,
>> scheduled to close on Friday, 1-March-2024, to allow for at least three
>> full weeks of public discussion. The first week (Feb. 5 – 9) is intended to
>> give the acquiring company time to address the following topics:
>>
>> ·Compliance with the Mozilla Root Store Policy
>>
>> ·Ownership and governance
>>
>> ·Investment and budget for CA operations, risk management, and
>> compliance
>>
>> ·Community engagement and involvement in industry groups
>>
>> ·Employee expertise and continuity
>>
>> ·Operational design and ongoing GRC management
>>
>> ·Auditors and auditing
>>
>> Thanks,
>>
>> Ben Wilson
>>
>> Mozilla Root Store Program
>>
>
--
You received this message because you are subscribed to the Google Groups
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabZVUgzo1rbr%3DyP-F0YzWCzjaO1sHKGYp%3DLTtQGzYEKrA%40mail.gmail.com.
Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
While not have knowledge to comment about acquire itself, doesn't this
more fit to ccadb mailing list? I thought root store policy about
individual root was moved to there
2024년 2월 3일 토요일 오전 1시 45분 19초 UTC+9에 Ben Wilson님이 작성:
> All,
>
> Recently we were advised that e-commerce monitoring GmbH is being acquired
> by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH.
>
> e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is
> included in the Mozilla root store. They have advised us of the following:
>
> There are no changes to the operation of the CA and RA functions.
>
> Changes to the corporate structure:
>
> - New shareholder:
> AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H.
> registered under the number FN 98272v commercial court Vienna
> Lamezanstraße 4-8
> 1230 Vienna, Austria
> https://www.austriacard.com/
>
> - New Management
> new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos
> new: Attorney ("Prokurist") Mr. Markus Kirchmayr
> old: CEO Hans Zeger
>
> - Registered headquarter
> new: Handelskai 388/621, 1020 Vienna, Austria
> old: Redtenbachergasse 20, 1160 Vienna, Austria
>
> According to section 8.1 of the Mozilla Root Store Policy, “If the
> receiving or acquiring company is new to the Mozilla root store, it MUST
> demonstrate compliance with the entirety of this policy. There MUST be a
> public discussion regarding its admittance to the root store. If Mozilla
> reaches a positive conclusion after public discussion, then the affected
> certificate(s) MAY remain in the root store.”
>
> By this email, I am initiating a four-week public discussion period,
> scheduled to close on Friday, 1-March-2024, to allow for at least three
> full weeks of public discussion. The first week (Feb. 5 – 9) is intended to
> give the acquiring company time to address the following topics:
>
> ·Compliance with the Mozilla Root Store Policy
>
> ·Ownership and governance
>
> ·Investment and budget for CA operations, risk management, and
> compliance
>
> ·Community engagement and involvement in industry groups
>
> ·Employee expertise and continuity
>
> ·Operational design and ongoing GRC management
>
> ·Auditors and auditing
>
> Thanks,
>
> Ben Wilson
>
> Mozilla Root Store Program
>
--
You received this message because you are subscribed to the Google Groups
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4715cf7b-519e-46fe-8727-e4064e53e505n%40mozilla.org.
Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH
All,
Recently we were advised that e-commerce monitoring GmbH is being acquired
by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH.
e-commerce monitoring operates the GLOBALTRUST 2020 root CA that is
included in the Mozilla root store. They have advised us of the following:
There are no changes to the operation of the CA and RA functions.
Changes to the corporate structure:
- New shareholder:
AUSTRIA CARD-Plastikkarten und Ausweissysteme Gesellschaft m.b.H.
registered under the number FN 98272v commercial court Vienna
Lamezanstraße 4-8
1230 Vienna, Austria
https://www.austriacard.com/
- New Management
new: CEO ("Geschäftsführer") Mr. Emmanouil Kontos
new: Attorney ("Prokurist") Mr. Markus Kirchmayr
old: CEO Hans Zeger
- Registered headquarter
new: Handelskai 388/621, 1020 Vienna, Austria
old: Redtenbachergasse 20, 1160 Vienna, Austria
According to section 8.1 of the Mozilla Root Store Policy, “If the
receiving or acquiring company is new to the Mozilla root store, it MUST
demonstrate compliance with the entirety of this policy. There MUST be a
public discussion regarding its admittance to the root store. If Mozilla
reaches a positive conclusion after public discussion, then the affected
certificate(s) MAY remain in the root store.”
By this email, I am initiating a four-week public discussion period,
scheduled to close on Friday, 1-March-2024, to allow for at least three
full weeks of public discussion. The first week (Feb. 5 – 9) is intended to
give the acquiring company time to address the following topics:
·Compliance with the Mozilla Root Store Policy
·Ownership and governance
·Investment and budget for CA operations, risk management, and
compliance
·Community engagement and involvement in industry groups
·Employee expertise and continuity
·Operational design and ongoing GRC management
·Auditors and auditing
Thanks,
Ben Wilson
Mozilla Root Store Program
--
You received this message because you are subscribed to the Google Groups
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaacDhGOcVgXcKG-nq32bFTdTVutYzAWb8uBzAOreJPv_Q%40mail.gmail.com.
