In accordance with the CA inclusion process,[1] this is a summary of the public discussion of Microsec’s application for inclusion of the e-Szigno Root CA 2017 into the Mozilla root store, and to EV enable it and the currently-included e-Szigno Root CA 2009. The request is documented in Bugzilla #1445364.[2] The public discussion began on 9-March-2020.[3] The email launching the public discussion and comments received during the public discussion raised a number of issues, not all of which are itemized here, including:
* the CPS was unclear about certificate problem reporting and revocation request processing[4]; and * Microsec has had systemic, standards-related non-conformities, e.g. Bug# 1622539[5], and needs to demonstrate better behavior in keeping up with and complying with the CABF Baseline Requirements and root store policy.[6] Microsec is resolving these concerns by: - updating its CPS[7][8]; and - committing to engage in better compliance with industry standards[9]. In my opinion Microsec has demonstrated sufficient response that we do not need to remove Microsec from Mozilla’s root store. Therefore, once I am satisfied after a review of the updated CPS, I am planning to recommend that we approve the request to include the e-Szigno Root CA 2017 certificate and enable the websites trust bit. However, I plan to deny the request for EV treatment for both root certificates. Microsec may re-apply by filing a new request for EV treatment after they have demonstrated improved compliance with the BRs and EV Guidelines. I appreciate any feedback on this proposed course of action. [1] https://wiki.mozilla.org/CA/Application_Process#Process_Overview [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1445364 [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/QrhdAWq_AAAJ [4] https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/KN-gnSLLAAAJ [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1622539 [6] https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/T7hcaOYGAQAJ [7] https://groups.google.com/d/msg/mozilla.dev.security.policy/rHTmKOzspCo/pyZKc40_CQAJ [8] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/1L0crAafm30 [9] https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/mNFZGgXBAgAJ On Mon, Apr 20, 2020 at 5:44 AM Sándor dr. Szőke via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Dear Ben, > > I confirm that Microsec will correct all issues in the CP and CPS > documents as promised during the public discussion. > > Thanks to everyone who took the time to read Microsec CP and CPS and to > comment on them. > > If there are no more comments on the content of our CP and CPS documents > in the public discussion, we will review the thread again and gather all > the issues to be resolved. > As usual, Microsec will review current versions of all applicable > requirements for changes. > > I confirm that the section 1.5.2 will be changed. The High Priority > Certificate Problem Report will be reviewed and will be moved here from > section 4.9.3. > > Other issues I can see after a brief overview: > - Preliminary report in case of Certificate problem report in section 4.9.5 > - correct the reference to section 1.3.1 instead of 1.2 in section 4.9.5 > - review the email address validation rules in case of non-automatic > validation procedure in section 3.2.7 > > I expect that Microsec will be able to do it within one week and will > prepare the draft version of the public documents by the end of April. > > We publish the drafts on our website and send them to the auditor and our > supervisory authority at the same time. > > This is followed by a 30-day commenting period during which anyone can > comment on the planned changes. > If significant issues arise during this period, the draft shall be amended > and the 30 days shall begin again. > If there are no significant issues, the new document will enter into force > by the end of May 2020. > > Please let us know if you expect us to take any further steps in this > process. > > Best regards, > > Sándor > > dr. Sándor Szőke > Microsec deputy director > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy