Dear All, Microsec Ltd. is dedicated to comply with the standards and industry best practices at all times, including the applicable IETF RFCs, ETSI standards and technical specifications, CA/Browser Forum Baseline Requirements, Extended Validation Guidelines and Network Security Controls, as well as the Mozilla Root Store Policy and other root program policies. Being an EU-based Qualified Trust Service Provider, our trust services are regulated and nationally supervised under the Regulation (EU) No 910/2014 (eIDAS), which mandates the annual conformity assessment by an accredited conformity assessment body.
In order to comply with all the latest legal and technical requirements, our CP/CPS documents incorporate all requirements from the above mentioned applicable sources, and we actively monitor the updates of the IETF RFCs, ETSI standards, CA/Browser Forum documents and the Mozilla Root Store Policy and other root program policies. As changes in the totality of requirements occur quite frequently, we regularly update our practices and develop our systems to ensure compliance with the changes too. Our annual conformity assessment, performed by TÜV Informationstechnik GmbH (TÜViT), is always based on the current version of the standards, as detailed in the Audit Attestation. Microsec greatly appreciates the detailed evaluation of our inclusion request, as well as the automated checks in the CCADB, since these enhance transparency and contribute to the security of the ecosystem. We welcome the opportunity to engage in the public discussion, to provide supporting information that none of the findings of the evaluation represent a significant risk for Mozilla users, and to take away any useful advice which might help us further improve our practices and documentation. Regarding the findings, please consider the information and explanations provided in our previous postings to this thread and several other threads, which are summarized in the following: 2020-03-09 - the thread was opened by Kathleen Wilson 2020-03-11 - First responses which were published one day later due to moderator approval delay. At first, Microsec gave some background information regarding the relatively high number of audit findings: https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/78T_0HWkAQAJ Then, Microsec uploaded the first answers to the original ===Meh=== and ===Bad=== findings of Wayne: https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/xNUov3WkAQAJ 2020-03-12 – Discussion to clarify the proper place of the Private Key Compromise information in CPS https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/1L0crAafm30 2020-03-13 – Incident report about the Issuance of 2 IVCP precertificates without givenName, surName, localityName fields https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/C8YdPLAmCOE The evaluation of the issue runs according to the planned schedule. 2020-03-24 – Discussion: Microsec: Revoked subordinate CA certificates under the „Microsec e-Szigno Root CA 2009” root https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/QqYm4BhFMHs It is a complex issue and it is probably better to explain it in a separate discussion than as part of the present thread. Wayne asked to transform this information into a formal incident report. Microsec will do it soon. 2020-03-24 - Short explanations for the year 2018 audit findings: https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/iiMVWwQGBAAJ 2020-03-27 - Short explanations for the year 2019 audit findings: https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/ofERMFLnAQAJ We hope the above information reinforces that our procedures are reliable, and our certificates are trustworthy. We would like to thank Wayne, Matt, Ryan and all members of the forum for your valued feedback, which we can use as input to our continuous efforts to improve the clarity of our documentation and the high quality of our services. We remain open to constructive discussion regarding our inclusion request, as always. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy