All, On August 28, 2023, we began a six-week, public discussion[1] on the following root CA certificates issued by Commscope:
1. CommScope Public Trust RSA Root-01: Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 1. CommScope Public Trust RSA Root-02: Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 1. CommScope Public Trust ECC Root-01 Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 1. CommScope Public Trust ECC Root-02 Use cases served/EKUs: - Server Authentication (TLS) 1.3.6.1.5.5.7.3.1 - Client Authentication 1.3.6.1.5.5.7.3.2 The public discussion period ended today, October 10, 2023. Summary of Questions and Responses One question asked about the particular value that Commscope would add to the web PKI. Commscope replied that it had served companies like Motorola, Broadcom, Verizon, and T-Mobile and that it had manufacturing experience provisioning solutions for billions of IoT devices. In addition to device manufacturing, Commscope said that it would serve “device manufacturers and operators of device fleets, whose requirements are not the same as typical web site operator.” One commenter noted that embedded systems tend to run out-of-date software that is never updated and that using publicly-trusted certificates with embedded systems harms the WebPKI by holding back progress and that CAs will sometimes misissue certificates to older devices for compatibility reasons. Follow-up questions from two commenters asked how CommScope would ensure that devices with certificates would stay up-to-date with TLS and WebPKI ecosystem requirements and how certificates on such devices would be replaced in the event that an arbitrarily large number of certificates needed to be revoked within the timelines specified by the CA/Browser Forum’s Baseline Requirements. Commscope responded that it participates in CA/Browser Forum discussions and monitors root programs for rule changes and would take a proactive approach to compliance with industry standards. They also said that they would ensure compliance by notifying device manufacturers and service providers and assist them with updates as needed. Commscope also claimed to have the capacity for bulk, high-volume certificate revocation and automated certificate replacement on devices. Another comment pointed out that Commscope had issued test certificates with empty SCT extensions. Commscope explained the difficulty experienced in submitting certificates to CT logs, and it agreed to revoke and replace the certificates in question. It also filed an incident report.[2] One commenter asked whether Commscope would be issuing certificates to other entities or only to its own products. Commscope said that it would be issuing certificates to other entities. Another question was whether Commscope would use ACME? Commscope said that it supported certificate enrollment using ACME and CMPv2 and would use them if the deploying organization required their use. Another question asked about the domain validation methods that Commscope would use. Commscope said that it currently uses email to the Domain Contact (BR § 3.2.2.4.2) and DNS Change (BR § 3.2.2.4.7) to perform domain validation, but that it had the ability to support ACME (“Agreed-Upon Change to Website – ACME” method (BR § 3.2.2.4.19)) when the business need arises. Conclusion We thank the community for its review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (i.e., MDSP). Ben [1] https://groups.google.com/a/ccadb.org/g/public/c/HVwBXDw6GnU/m/1LsNC19RAQAJ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1852404#c7 On Thu, Oct 5, 2023 at 10:44 AM 'So, Nicol' via CCADB Public < public@ccadb.org> wrote: > On Tue, 03 Oct 2023 05:41:50 -0700, Seo Suchan wrote: > > > > > what kind of validation methods you'll use for your certificates? as in > allowed method numbered in ca/b br? as you said will use acme I guess > 3.2.2.4.7 /19/20 , right? > > > > As stated in our CP/CPS, CommScope currently support 2 methods for domain > control validation: > > > > - Email to Domain Contact (BR § 3.2.2.4.2) > - DNS Change (BR § 3.2.2.4.7) > > > > We have the technical capability to support ACME’s automated domain > validation methods, but we currently don’t offer them. (ACME can be used > with external account binding and have domain validation performed outside > the protocol.) Going forward, we will support the “Agreed-Upon Change to > Website – ACME” method (BR § 3.2.2.4.19) when the business need arises. > > > > Nicol So > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to public+unsubscr...@ccadb.org. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/LV8PR14MB753428A208508557E334017786CAA%40LV8PR14MB7534.namprd14.prod.outlook.com > <https://groups.google.com/a/ccadb.org/d/msgid/public/LV8PR14MB753428A208508557E334017786CAA%40LV8PR14MB7534.namprd14.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to public+unsubscr...@ccadb.org. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaYhJ3f5bFo8mi1Vxqs%3DpWwwStee1Q4LH8gZSGtia3iekQ%40mail.gmail.com.
