Dear All, The public discussion period for the three SecureTrust roots ended yesterday, and I don't believe that we received any comments. I intend to recommend that this request be approved unless there are any reasons why the request should be denied. Thanks, Ben
On Mon, Aug 3, 2020 at 1:24 PM Ben Wilson <bwil...@mozilla.com> wrote: > This email announces an intent to include the following three (3) root > certificates as trust anchors with the websites and email trust bits > enabled, and to enable each root for EV as documented in the following > Bugzilla case: https://bugzilla.mozilla.org/show_bug.cgi?id=1528369 > > This email commences the three-week public discussion period set forth in > https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion. > > The three root CA certificates are as follows: > > *Trustwave Global Certification Authority* – valid from 23-Aug-2017 > > SHA2: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 > > *Trustwave Global ECC P256 Certification Authority* – valid from > 23-Aug-2017 > > SHA2: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 > > *Trustwave Global ECC P384 Certification Authority* – > > SHA2: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 > > > *A Summary of Information Gathered and Verified appears here in the CCADB:* > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000392 > > > *Root Certificate Download URLs are as follows:* > https://certs.securetrust.com/CA/TWGCA.txt > > https://certs.securetrust.com/CA/TWGP256CA.txt > > https://certs.securetrust.com/CA/TWGP384CA.txt > > *CP/CPS:* We have reviewed the CPS and provided comments, which were > incorporated into SecureTrust's most recent CPS: > > https://certs.securetrust.com/CA/SecureTrustCPS_62.pdf > > (Repository location: https://ssl.trustwave.com/CA / > https://certs.securetrust.com/CA/) > > *SecureTrust’s BR Self Assessment* is located here: > https://bugzilla.mozilla.org/attachment.cgi?id=9060769 > > *Audits:* Annual audits are performed by BDO International, Ltd. > according to the WebTrust Standard, BR and EV audit criteria. I have > reviewed the key generation audit report from Grant Thornton and subsequent > 2018 and 2019 audit reports for these three roots and determined that there > is continuity (all three are included in WebTrust Standard, BR and EV > audits continuously since CA generation). Minor issues were found by BDO > International, Ltd., as part of the 2019 Baseline Requirements audit.[1] > These issues were addressed in [2], which was closed by Mozilla on > 14-Mar-2020. > > [1] > https://certs.securetrust.com/CA/2%20-%20SecureTrust%202019%20SSL%20BL%20Report.pdf > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1606031 (BR Audit 2019 > - matters to be resolved) > > > I ran mis-issuance reports for the three roots with linting to look for > issuance errors and didn’t find any from the three above-mentioned roots. > > > > Other closed CA Incidents for SecureTrust include the following: > > [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1546776 (Unvalidated > domain in certificate ) > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1551374 ("Some-State" > in stateOrProvinceName) > > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1600844 (Unconstrained > ICA not included in WTBR audit report) > > [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1646711 (Metadata-only > field values in 2 certificates) > > > This email begins the three-week public discussion period, which will > close on 24-August-2020. > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
